Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Restricting tcode RSA1

Former Member
0 Kudos

Hi Experts!

I am faced with the requirement of restricting tcode RSA1. From my understanding, RSA1 is basically the "BI Admin Control Panel" and as such, calls various other transaction codes and does not have any authorization objects associated with itself.

Has a display RSA1 role been developed before and what is the best way to approach the creation of a display RSA1 role?

Any opinions would greatly help.

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Restrict the authorization object S_RS_ADMWB. It has two fields:

- Admin WB object: eg. infoobject, metadata, infoarea etc.

- Activity: 03 for display.

If you are not using the above object you can also control at the level of indvidual WB objects with authorization objects like S_RS_IOBJ for Infoobjects , S_RS_ISOUR for infosource etc.

The best approach could be to use the standard templates provided by SAP for inserting authorizations. Use the template S_RS_ROPAD BW Role: Administrator (Productive System) and adjust it to your liking.

Edited by: Subramaniam Iyer on Jan 15, 2009 9:36 AM

5 REPLIES 5

Former Member
0 Kudos

Restrict the authorization object S_RS_ADMWB. It has two fields:

- Admin WB object: eg. infoobject, metadata, infoarea etc.

- Activity: 03 for display.

If you are not using the above object you can also control at the level of indvidual WB objects with authorization objects like S_RS_IOBJ for Infoobjects , S_RS_ISOUR for infosource etc.

The best approach could be to use the standard templates provided by SAP for inserting authorizations. Use the template S_RS_ROPAD BW Role: Administrator (Productive System) and adjust it to your liking.

Edited by: Subramaniam Iyer on Jan 15, 2009 9:36 AM

0 Kudos

Hi Subramaniam, that is a very helpful answer indeed. I did read somewhere regarding S_RS_ADMWB and will try what you have suggested today. I will get back on whether it has worked or not a little later! Thanks again...

0 Kudos

By adding the tcode RSA1 into the User Menu (thereby adding to S_TCODE) and restricting the Data Warehousing objects S_RS_* to ACTV '03' (Display), I was able to make most of RSA1 display!

My only question is, I still do not understand what S_RS_ADMWB does. I include it and remove it and see no difference. The requirement right now is to allow access to only the Modeling tab in RSA1, meaning I do not want the user to go into Administration, Transport Connection, Documents, etc. I notice that some areas such as Administration could not be accessed by default (which is good), but other sections such as Transport Connection and Metadata Repository can.

Is there any way to disable access to these areas in RSA1 through S_RS_ADMWB or any other way?

0 Kudos

Hi Benjamin,

The object S_RS_ADMWB is the most critical object in admininstration security. It is the first object that is checked when you do anything in the Admin Workbench.

- Without S_RS_ADMWB you cannot execute the tcode RSA1. The first thing that would be checked is S_RS_ADMWB RSADMWBOBJ=WORKBENCH;ACTVT=16;

Also, yes as you mentioned without any further authorizations the user is able to get into the transport connections and documents tab. But to perform any sort of activity in these areas the objects S_CTS_ADMI & S_TRANSPRT would be checked in the transport connection tab and the object S_RS_ADMWB will be checked in the documents tab for eg.:

S_RS_ADMWB RSADMWBOBJ=DOC_META;ACTVT=03

S_RS_ADMWB RSADMWBOBJ=INFOOBJECT;ACTVT=23

But, if you want that the user should not be able to get into or even see the tabs then I so not think it is possible via authorizations.

Regards,

Subbu

0 Kudos

Hi Subramaniam, thanks again for your prompt and detailed response. I now fully understand how this works!