Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Protect from Opening FI period

Go to solution
Former Member

‎12-24-2008 5:27 AM

0 Kudos

Dear Team,

One is my Transastion OB52 for Opening FI Period. I want only my FICO Users can openFI Period. . But Right now 3 or 4 user can run OB52. . But When I go to these user Role via PFCG . Transastion OB52 not displaying . But they are running OB52

How I protect these user from OB52 Transastion .

Thaks

manu

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎12-29-2008 9:20 PM

0 Kudos

the reason you are not able to see the t-codes for the other users in their role's is that one of the role might be an object driven role which means t-codes are not defined in the PFCG menu but in the authorizations by adding S_TCODE manually and inserting t-codes. u have to address this object driven role to restrict the users from having access.

5 REPLIES 5

Go to solution
Former Member

‎12-24-2008 6:08 AM

0 Kudos

Hi Manu,

Many a times when Tcodes are entered in ranges directly in S_TCODE object it cannot be seen directly in the role for instance O* to S*. In this case you can find out using report/transaction S_BCE_68001426. Or there are many other options in the SUIM menu to find it out.

Now, If you want to restrict OB52 you have to either alter the S_TCODE range accordingly like the range should terminate to OB51 and again start from OB53 for example in the S_TCODE object of the respective roles.

Or you can later the object S_TABU_DIS such that the users do not have authroization for authorization group FC31or FB31 (field DIBERCLS).You can check the authorization group for table T001B in table TDDAT , CCLASS field.

Go to solution
Former Member

‎12-27-2008 3:35 PM

0 Kudos

pssst..... don't tell the others when the client is open for modification

Go to solution
Former Member
In response to Former Member

‎12-27-2008 5:44 PM

0 Kudos

Take a look at the view V_T001B in transaction SOBJ. There is a little check box called "current settings".

There are also some SAP Notes on "OB52 AND current settings".

Cheers,

Julius

Go to solution
Former Member

‎12-29-2008 9:20 PM

0 Kudos

the reason you are not able to see the t-codes for the other users in their role's is that one of the role might be an object driven role which means t-codes are not defined in the PFCG menu but in the authorizations by adding S_TCODE manually and inserting t-codes. u have to address this object driven role to restrict the users from having access.

Go to solution
Former Member
In response to Former Member

‎12-29-2008 9:29 PM

0 Kudos

Yes, that is also true.

Perhaps SAP should consider relabelling the field to "Menu Transaction" instead... this would be less misleading.

But as Subramaniam already stated, the tcode (even if hidding those not authorized for Object 1 = S_TCODE value = 'OB52' but still for all the rest required...) is only a general level of protection to the entry point, which is often one of many entry points to the same maintenance view or functionality, often with the same or a very similar affect (changes).

Adding S_TCODE checks to views is, in my opinion, not a progress in improving security. It is a shortcut to hide concept errors.

Cheers,

Julius