12-10-2008 12:23 PM
Hi all,
Could you explain me is that possible to create user with sap_all and restrain him to object S_TABU_DIS?
I want that user has sap_all profile but also he can't maintan or view tables from HR (ex. PA0000, PA 00001 etc) via SM30 or SE16 or SE16n. Is that possible?
Could you give me instructions step by step how configure it?
I will be grateful.
thanks
Michal
12-10-2008 12:35 PM
12-10-2008 12:35 PM
12-10-2008 2:36 PM
Hi Michal,
First create a role and copy SAP_ALL template to it, then look for S_TABU_DIS in that new role and restrict it according to your requirement.
this will give you access to SAP_ALL minus HR data (you cannot view HR tables)
thanks,
Sun
12-10-2008 3:33 PM
Sorry, but it doesn't work that way. The person will still be able to use all the business functionality to view the data, or create their own functionality to do so.
Cheers,
Julius
12-10-2008 4:22 PM
Juluius, i guess Sun is bright right --> momentarily atleast.
The original post was to restrict -- at the first level if the user has the access and soforth. now with juluis input the user though has the restricted use he can enable himself to have the very same restriction that was denied. the following example explains ;
I have a SAP_ALL with S_TABU restrictions -- I name it here --SAP_ALMOST_ALL
With my SAP_ALMOST_ALL I assign myself (through SU01 SAP_ALL)
Now I have ALMOST_ALL as well as SAP_ALL !
Hoep this explains both answers !
12-10-2008 7:51 PM
Yes Julius you are right,
In this case we need to create a proper role or deactivate HR class (module) from the new role and even restrict security and basis Authorizations in this new role.
thanks,
Sun
12-10-2008 7:53 PM
Hi George,
My answer won't probably solve the whole issue, but if we deactivate HR data from the role and restrict access to some of the security authorization then it will work
thanks,
Sun
12-10-2008 9:25 PM
Yes It would , but only till the time the user decides to help himself with what he is lacking !!
12-10-2008 9:41 PM
Latest when the user enters 'PA30' into the ok-code field (= the transaction start window), or runs a report somewhere in the backwaters of the system.
Cheers,
Julius
12-10-2008 6:13 PM
Hi Michal
You can also create a broader authorisation group leaving the HR ones and assign it.
You can test whether this works
Thanks and regards
Arun R