Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

destrict access to SQ01

Go to solution
Former Member

‎09-25-2008 3:13 PM

0 Kudos

Hello Gurus ,

I would like some help with restraining access to users that have Tx SQ01.

I know there are two ways to do this :

1. With authorization objects

2. With user groups in SQ03.

Allthough i created user groups , in SQ01 i have still the option to go over

SQ01> Edit>Other user groups and choose a different user group. This is probably because i have more rights . How can i be sure , or better deactivate this option to a user that is using SQ01 so he can execute, create Queries only within a limited SAP area with the infosets that are assigned to his user group ?

Regards,

David (SAP Basis)

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎09-25-2008 3:40 PM

0 Kudos

Hi David,

Check for the values of the auth.obj S_QUERY in the user's profile.

Remove the activity 23 from the auth.obj S_QUERY and then chk if this is restricting the user to create Queries only within a limited SAP area with the infosets that are assigned to his user group.

Thanks,

Saby..

5 REPLIES 5

Go to solution
Former Member

‎09-25-2008 3:40 PM

0 Kudos

Hi David,

Check for the values of the auth.obj S_QUERY in the user's profile.

Remove the activity 23 from the auth.obj S_QUERY and then chk if this is restricting the user to create Queries only within a limited SAP area with the infosets that are assigned to his user group.

Thanks,

Saby..

Go to solution
Former Member
In response to Former Member

‎09-26-2008 2:02 PM

0 Kudos

Thank you Saby ,

i did a test with removing the activity 23 and it worked for a user only with couple of roles . If a user has more roles -->more authorization , that he can access infosets that are not in his user group .

Is there another way to delimit the infosets with an additional auth.object in the role ?

Alternative solution would be a Firefighter with only the role thats needed for SQ01.

regards,

david

Go to solution
jurjen_heeck
Active Contributor
In response to Former Member

‎09-26-2008 2:13 PM

0 Kudos

> If a user has more roles -->more authorization , that he can access infosets that are not in his user group .

> Is there another way to delimit the infosets with an additional auth.object in the role ?

This is expected behaviour. SAP security is about allowing things, not denying. You'll have to go through your other roles and take out the unwanted authorizations to solve your issue. I'm quite sure there are no shortcuts.

Go to solution
Former Member
In response to Former Member

‎10-02-2008 11:07 AM

0 Kudos

Like Jurjen said, Securtiy SAP is not about denying but granting access carefully.

Many user perform daily reporting combining different criteria and queries are to ease their their life

You can give access only to SQ01 and deactivate S_QUERY.

Then assign the users to to particular query user groups using SQ03 so that they may have access to execute queries which they actually need.

When the users execute SQ01, they can see the queries for which they are authorized.

This is a two forked advantage.You prohibit change access in SQ01 at the same granting access to queries which the user needs for reporting on display.

And if you are speaking of production environments, then there is no danger of user creating a query via SQ01 as the prd client is normally closed for changes!

Regards

Deepa

Go to solution
former_member248712
Active Participant

‎09-25-2008 4:54 PM

0 Kudos 
 This is probably because i have more rights .

You may create a test user and assign limited roles just for testing.

AB