Dear All,

Thanks for your suggestions. I searched and read through forums but couldn't find anything. Moreover, my functional team insists they've had such role assigned before but cannot give me the basis guy's contact number who did it

Any more ideas please.

regards, Sean.

Thanks Jurjen.

I meant my team had similar requirement fulfilled in another project. I've been in this one since day one

By the way, how can I search for system's change documents?

regards, Sean.

> I meant my team had similar requirement fulfilled in another project. I've been in this one since day one

Was the person's name Caspar?

I used this trick once, although most folks follow either the "build from the bottom" approach with roles based on what the user does need (because often it ends up in production as well....) or the "trust people with SAP_ALL" approach which the first approach sometimes ends up in if you don't do it carefully.

If you search the forum for the term "symbolic table" then you will find an additional trick you can use. You can also go through the code of the table maintenance generator function with an ABAPer to find it.

It looks something like:

SELECT CLASS from TDDAT into wa_tddat WHERE tabname = '&SM31&'.
* Give the customer a chance to exclude super-users... 

But remember that it is "all-or-nothing", and is not 100% bullet-proof against a developer. Probably it is more usefull to isolate the users who can access SPRO, but that is debatable as well whether one should prevent people from displaying the customzing of the system.

The better option is to grant users the correct access and train them to use the correct choice of transaction, so that they do not ask for all sorts of odd transaction codes and objects.

Cheers,

Julius

@Jurjen,

Thanks again for your time. Actually I haven't worked on security much, this is my first E2E implementation. Although I did found the solution, we already are building up a role authorization matrix for production, so that we do not need a shutdown

@Julius,

Thanks for your answer. My issue is resolved using a trick I finally found using * in auth object.

I'd love to explore your suggestion whenever I find time. And I haven't found the Casper guy yet

Thanks to all for your time.

regards, Sean.

PS: We had this requirement for customer core team in sandbox system.

> My issue is resolved using a trick I finally found using * in auth object.

So you have them a display all role by setting all S_TABU_DIS to actvt '03' only and in tcode SPRO_ADMIN you created a dummy project for the whole IMG? But they will still display your customizing based on tables if they can find them - which is why the IMG is a more guided way of finding the correct settings, and not assuming that some table found in SE16 is the correct one because it looks similar...

> I'd love to explore your suggestion whenever I find time. And I haven't found the Casper guy yet

> ...

> PS: We had this requirement for customer core team in sandbox system.

Probably wouldn't work in a Sanbox though. It is like the client settings in SCC4 of that client which would be expected to be open in a sandbox, or easily opened without thinking too much about it. It is just a trick, which makes the system behave as if the client is closed and sets change authority to display only if the user goes via the IMG or parameter transactions of SM30 / SM31 which attempt to enter the customzing in change mode.

Looking at it again this morning, it is quite old and probably not really supported anymore.

Cheers,

Julius