12-24-2008 5:27 AM
Dear Team,
One is my Transastion OB52 for Opening FI Period. I want only my FICO Users can openFI Period. . But Right now 3 or 4 user can run OB52. . But When I go to these user Role via PFCG . Transastion OB52 not displaying . But they are running OB52
How I protect these user from OB52 Transastion .
Thaks
manu
12-29-2008 9:20 PM
the reason you are not able to see the t-codes for the other users in their role's is that one of the role might be an object driven role which means t-codes are not defined in the PFCG menu but in the authorizations by adding S_TCODE manually and inserting t-codes. u have to address this object driven role to restrict the users from having access.
12-24-2008 6:08 AM
Hi Manu,
Many a times when Tcodes are entered in ranges directly in S_TCODE object it cannot be seen directly in the role for instance O* to S*. In this case you can find out using report/transaction S_BCE_68001426. Or there are many other options in the SUIM menu to find it out.
Now, If you want to restrict OB52 you have to either alter the S_TCODE range accordingly like the range should terminate to OB51 and again start from OB53 for example in the S_TCODE object of the respective roles.
Or you can later the object S_TABU_DIS such that the users do not have authroization for authorization group FC31or FB31 (field DIBERCLS).You can check the authorization group for table T001B in table TDDAT , CCLASS field.
12-27-2008 3:35 PM
pssst..... don't tell the others when the client is open for modification
12-27-2008 5:44 PM
Take a look at the view V_T001B in transaction SOBJ. There is a little check box called "current settings".
There are also some SAP Notes on "OB52 AND current settings".
Cheers,
Julius
12-29-2008 9:20 PM
the reason you are not able to see the t-codes for the other users in their role's is that one of the role might be an object driven role which means t-codes are not defined in the PFCG menu but in the authorizations by adding S_TCODE manually and inserting t-codes. u have to address this object driven role to restrict the users from having access.
12-29-2008 9:29 PM
Yes, that is also true.
Perhaps SAP should consider relabelling the field to "Menu Transaction" instead... this would be less misleading.
But as Subramaniam already stated, the tcode (even if hidding those not authorized for Object 1 = S_TCODE value = 'OB52' but still for all the rest required...) is only a general level of protection to the entry point, which is often one of many entry points to the same maintenance view or functionality, often with the same or a very similar affect (changes).
Adding S_TCODE checks to views is, in my opinion, not a progress in improving security. It is a shortcut to hide concept errors.
Cheers,
Julius