Thank you for your reply.

I am looking out for a suggestion to find out how it can be achieved rather than saying it is not possible.

Thanks and Regards

Arun R

Like that it won't work.

Cheers,

Julius

Hi

Object Field Value

S_PROJECT PROJECT_ID *

S_PROJECT PROJ_CONF *

S_RFC ACTVT 03

S_RFC RFC_NAME *

S_RFC RFC_TYPE *

S_TABU_CLI CLIIDMAINT *

S_TABU_DIS ACTVT 03

S_TABU_DIS DICBERCLS *

S_TRANSPRT TTYPE (Deactivate or remove PIEC and TASK )

S_CODE REMOVE SPRO

Regards

Ashok

Hi All

Thanks Guys!!!

Finally I have restricted with some restrictions. We have been getting the below peice of information every where:

S_PROJECT PROJECT_ID *

S_PROJECT PROJ_CONF *

S_RFC ACTVT 03

S_RFC RFC_NAME *

S_RFC RFC_TYPE *

S_TABU_CLI CLIIDMAINT *

S_TABU_DIS ACTVT 03

S_TABU_DIS DICBERCLS *

S_TRANSPRT TTYPE (Deactivate or remove PIEC and TASK )

S_CODE REMOVE SPRO

*There is no object by the name S_CODE*

*We can not set the value for S_RFC as 03 for activity coz there is only 16*

Leaving the above two enter the values as suggested.

Then add the object S_TCODE manually and enter these values:

BS, FM, GM, GT, O, SM3, SZG, V_TB

By doing this nearly 90% of the SPRO becomes display.

Try this out and let me know if there is any suggestions.

Thanks and Regards

Arun R

Edited by: Arunachalam Ramanathan on Dec 4, 2008 6:31 PM

Actvt '03' does not exist for S_RFC, so you must have copied & pasted that from some dodgey website in the internet....

Won't work.

Yes, it is not there

Yes... and if your role is built from the menu then you cannot edit it either.....

So is it a * or a what? Or did you extent the tactz ranges?

Cheers,

Julius

The role is built from the menu.

Thats why i have added the authorisation object S_TCODE manually. It is not a* but the values as mentioned in my reply.

I dint mention the range coz it would add some additional acess.

> The role is built from the menu.

So the objects you have mentioned above are only the manual ones of a role which is built from the menu....

That tells us nothing, and you have still not explained where the RFC actvt '03' is coming from or how you would possibly have thought of entering such a value when it does not exist nor can you enter it.

> I dint mention the range coz it would add some additional acess.

Hmmmm.... this can be an interesting topic, but I am suspect about how you are building this role and how you are testing it and getting to conclusions like "90% display only".

Can you explain some more please?

Cheers,

Julius

Hi

Please read my replies correctly.

I have no where mentioned that the actvity value for RFC Should be set to 03.

Here are the steps:

1. Enter the transaction SPRO in Menu Tab.

2. Save the role

3. Click on Expert Mode

4. Enter the activity value as 03 - Display

5. Add the authorisation object manually - S_TCODE

6. Enter the values as I listed above

7. Save

8. Generate the role.

-

Here is how i tested it:

This role is granted to the Functional Consultant to test and every module consultant came out with the response that they were able to have only the display access.

Still they are testing it and hence i said 90%

Hope this clarifies your doubts

> I have no where mentioned that the actvity value for RFC Should be set to 03.

Yes you did. Most likely you copy&pasted it...

> Please read my replies correctly.

I read it again, twice.

Sorry to say this, but for the benefit of others who might read this as well and be tempted to believe it... I think you are talking rubbish.

Your posts and conclusion make no coherent sense what-so-ever anymore...

The very first answer (which you dismissed) was probably the closest there was to an answer (in this thread).

Chin up,

Julius

Hi Julius Bussche

Please note the below points:

1. I did not copy and paste from any website. There was a post previously in this thread which had the inputs. I copied from there and pasted it so that every one would know which options are available and which are not.

2. In that below I have highlighted with *.................................* which indicates that they are not there. They are to be omitted.

3. I have also pointed out that leaving these two values enter the values for the corresponding authorisation fields as suggested.

4. After you enter the values and try executing SPRO in the system, you can enter into SPRO main screen but when you hit any customization for display it gives you the authorisation error message.

5. I did changed the value for S_TCODE as * by adding the authorisation object manually since SPRO was added in the Menu, we might not be able to edit the object. Hence added the authorisation object S_TCODE and entered the value for the field TCD as * .

6. It works fine but there are couple of other transactions which have the full access like SM50, SM51 which should not be given to the functional consultants as a part of security measures.

7. Hence removed the * from TCD and replaced with SPRO and tested.

8. Noted down the transactions which it called internally when we try to execute the customizations under SPRO. It gave a bunch of authorisation error message pretaining to transactions.

9. Once again, entered the values for the authorisation object S_TCODE for the field TCD.

I have entered the values in the previous post... The values are BS, FM, GM, O, SM3, SZG, V_TB*.

10. Generated the role. Now the user would have display access only to the required transactions rather than to all the transactions.

11. User would not be able to execute any critical transactions like SM50 or SM51.

Hope you are clear. Please test this out in IDES system and then revert back to me whether I am saying rubbish or is it worth taking it.

Chin up

Arun R

Hi Arun,

Okay, I will try this (again) tomorrow, but I still cannot see how it will work nor how you got actvt '03' into S_RFC.

Sorry for the rubbish comment, but looking at this whole thread and trying to imagine what the role must look like... that was the word which came to mind...

Cheers,

Julius

ps: I will not try this on an IDES system... I will try it on a 7.00 ECC 6.0 system with FI, CO, MM, SD, HR and BW activated. It is also a dual stack system (so ABAP and JAVA systems on the same machine). That might explain the little difference as well...

Edited by: Julius Bussche on Dec 4, 2008 10:36 PM

Hi Julius Bussche

There is a mis understanding here...

Lot of websites say enter 03 for S_RFC but WE DONT HAVE THE ACTVITY 03. WE HAVE ONLY 16.

So I have commented to change that from 03 to 16.

Thats why I had requested you to read my responses once again.

Thanks and regards

Arun R

> Lot of websites say enter 03 for S_RFC but WE DONT HAVE THE ACTVITY 03. WE HAVE ONLY 16.

Well, that is just one example of where a lot of websites talk a lot of rubbish...

Cheers,

Julius

Hi

You can try it rite now itself.. Please let me know your feedback.

We take the websites only for reference rather than adopting it completely.

This post is meant for every one to identify and understand and not follow blindly what the website says.

Thanks and Regards

Arun R

Doesn't work.

Hi

Can you please tell me what you had performed and how did you test it out.

Thanks and Regards

Arun R

The user can remotely submit a report in the system.

The user can remotely start an area menu.

The user can remotely start almost any transaction of their choice.

Which authority for S_PROGRAM does the user have? Some are protected only by S_PROGRAM...

Cheers,

Julius

Hi

We are adding only the SPRO transactions and the authorisation object associated with SPRO is as below:

S_PROJECT PROJECT_ID *

S_PROJECT PROJ_CONF *

S_RFC ACTVT 16

S_RFC RFC_NAME *

S_RFC RFC_TYPE *

S_TABU_CLI CLIIDMAINT '

S_TABU_DIS ACTVT 03

S_TABU_DIS DICBERCLS *

S_TRANSPRT TTYPE Deactivate or remove PIEC and TASK

S_TCODE - SPRO

S_TCODE- BS, FM, GM, GT, O, SM3, SZG, V_TB

Could you please confirm whether you have entered the above values.

Iam not able to find the S_PROGRAM authorisation in the above. Could you please tell me how did you test this out elaborately.

Thanks and Regards

Arun R

> S_RFC ACTVT 16

> S_RFC RFC_NAME *

> S_RFC RFC_TYPE *

Why are you adding this? The user can easily bypass parts of your security.

> S_TCODE- BS, FM, GM, GT, O, SM3, SZG, V_TB

Have you checked all the tcodes in those ranges?

> I am not able to find the S_PROGRAM authorisation in the above.

You mentioned before that the role was built from the menu (i.e. the rest of the authority in this role).

I struggle to believe that this role for a person who needs to display the IMG would have no program authority at all, or not even do maintenance on a variant.

I see that you have closed the thread now. I agree with you that contributing to this any further no longer makes sense.

Have a nice weekend though, and sorry again for the blunt comments above,

Cheers,

Julius