Thanks for the reply!

I am trying to add OYK9 transaction. I know about activity level 03 describes 'display' property in Authorization data. But for which auth object or object class we have to define ACTVT as display(03).

I also checked the 'check indicator' for OYK9 tx in SU24 as well, it only list auth object S_TCODE.

> That may mean this transaction is meant for editing reasons and doesn't have a display-only setting.

I am pretty sure this is a customizing transaction and if sounds as if it forces (or attempts to) open the maintenance dialog in edit mode, but expects the user to have their edit authority from a different transaction or the dicbercls (s_tabu_dis) of a specific customzing area.

There is nothing wrong with that. Find the table class and check it. Add it with display activity to Su24 (so this tcode on it's own! will also add display access).

The forced edit parameter will fail, and the system will default to display automatically (but will inform you).

Cheers,

Julius

Hi Adnan,

Are you sure about the tcode OYK9...I could not find any such tcode existing in the system.

I would like to add the following tcodes in display access. In all the tcodes only auth object present is S_TCODE.

OKY9

OKYA

OKY0

OKKM

OKK6

OKK5

OKG6

Please suggest.

>

> I would like to add the following tcodes in display access. In all the tcodes only auth object present is S_TCODE.
> 
> OKY9
> OKYA 
> OKY0
> OKKM  
> OKK6 
> OKK5
> OKG6
>  
> Please suggest.

I suggest that your run an authorisation trace to see what objects those transactions reference.

Create a role with those transactions and objects in display only mode. Then get a functional consultant to negative test those roles.

Don't assign with other roles which give change access to the auth objects you have restricted.

Hi Adnan,

OKY9 is a transaction to maintain a customizing table. You can restrict it with authorization object S_TABU_DIS ACTVT=03;DICBERCLS=KKK;

Similarly you need to find the authgroup for the tables maintained by other tcodes and add them in the user roles in a similar fashion.

Thanks for the reply!

Please could you mention how we can maintain DICBERCLS=KKK; as i think it's not present in Auth data in PFCG.

Also how to find the authgroup for the tables maintained by other tcodes.

I am little bit new to this field. Please help.

Adnan

You will have to add manually the object S_TABU_DIS with ACTVT as 03 and DIBERCLS as KK in the roles in the authorization tab pfcg using button manually.

You may have to find out the tables for the other tcodes. Then you can find out the authorization group assigned to these tables in Table TDDAT which gives the assignment of authorization group (DIBERCLS) field CCLASS to tables.

Thanks for the quick answer..issue seems to be clear now. I will try the same thing tomorrow.

Last question is :how we can find the following : "You may have to find out the tables for the other tcodes".

I mean how you finded the table for tcode OKY9.

Hi Adnan,

Ask the user to run the tcode and you run system trace ST01 and you will get the value for DIBERCLS for all tcodes. Else, ask your functional consultant to give you the table names for all the tcodes.

Hello Adnan,

Just to help you further you can find the table name by executing the tcode say OKY0 and then click on any one field and click F1. Select technical info button and you can find the table name in the "Generated view s" field.

In your case anyway KKK is the value for DIBERCLS for all tcodes, but I recommend to find it out yourself.

> The forced edit parameter will fail, and the system will default to display automatically (but will inform you).

If you already know the name of the tcode, then you can see these parameters and the name of the view in transaction SE93.

To reverse it (find the tcode from the value) go via table TSTCP (parameter transactions) and search for the view name there, and then see with which parameters the maintenance view is called and what the view checks and views from the data objects.

Cheers,

Julius