Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP_ALL with S_TABU_DIS constraints

Go to solution
Former Member

‎12-10-2008 12:23 PM

0 Kudos

Hi all,

Could you explain me is that possible to create user with sap_all and restrain him to object S_TABU_DIS?

I want that user has sap_all profile but also he can't maintan or view tables from HR (ex. PA0000, PA 00001 etc) via SM30 or SE16 or SE16n. Is that possible?

Could you give me instructions step by step how configure it?

I will be grateful.

thanks

Michal

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎12-10-2008 12:35 PM

0 Kudos

Not possible. You have to build a proper role.

Cheers,

Julius

9 REPLIES 9

Go to solution
Former Member

‎12-10-2008 12:35 PM

0 Kudos

Not possible. You have to build a proper role.

Cheers,

Julius

Go to solution
sreekanth_sunkara
Active Participant

‎12-10-2008 2:36 PM

0 Kudos

Hi Michal,

First create a role and copy SAP_ALL template to it, then look for S_TABU_DIS in that new role and restrict it according to your requirement.

this will give you access to SAP_ALL minus HR data (you cannot view HR tables)

thanks,

Sun

Go to solution
Former Member
In response to sreekanth_sunkara

‎12-10-2008 3:33 PM

0 Kudos

Sorry, but it doesn't work that way. The person will still be able to use all the business functionality to view the data, or create their own functionality to do so.

Cheers,

Julius

Go to solution
Former Member
In response to sreekanth_sunkara

‎12-10-2008 4:22 PM

0 Kudos

Juluius, i guess Sun is bright right --> momentarily atleast.

The original post was to restrict -- at the first level if the user has the access and soforth. now with juluis input the user though has the restricted use he can enable himself to have the very same restriction that was denied. the following example explains ;

I have a SAP_ALL with S_TABU restrictions -- I name it here --SAP_ALMOST_ALL

With my SAP_ALMOST_ALL I assign myself (through SU01 SAP_ALL)

Now I have ALMOST_ALL as well as SAP_ALL !

Hoep this explains both answers !

Go to solution
sreekanth_sunkara
Active Participant
In response to sreekanth_sunkara

‎12-10-2008 7:51 PM

0 Kudos

Yes Julius you are right,

In this case we need to create a proper role or deactivate HR class (module) from the new role and even restrict security and basis Authorizations in this new role.

thanks,

Sun

Go to solution
sreekanth_sunkara
Active Participant
In response to sreekanth_sunkara

‎12-10-2008 7:53 PM

0 Kudos

Hi George,

My answer won't probably solve the whole issue, but if we deactivate HR data from the role and restrict access to some of the security authorization then it will work

thanks,

Sun

Go to solution
Former Member
In response to sreekanth_sunkara

‎12-10-2008 9:25 PM

0 Kudos

Yes It would , but only till the time the user decides to help himself with what he is lacking !!

Go to solution
Former Member
In response to sreekanth_sunkara

‎12-10-2008 9:41 PM

0 Kudos

Latest when the user enters 'PA30' into the ok-code field (= the transaction start window), or runs a report somewhere in the backwaters of the system.

Cheers,

Julius

Go to solution
Former Member

‎12-10-2008 6:13 PM

0 Kudos

Hi Michal

You can also create a broader authorisation group leaving the HR ones and assign it.

You can test whether this works

Thanks and regards

Arun R