02-05-2009 12:28 PM
Hi gurus,
We are using SAP NetWeaver 2004s. There is a new user that I need to create, I have created a role for it as well. However, in this role, I want the user to execute the transaction SM50, but the user shouldn't be able to cancel any of the work processes. How can I do it? Any help would be greatly appreciated.
Regards,
Sree
02-05-2009 12:49 PM
Does the trace not work in your system?
Anyway, forget about the tcode....
What you are looking for is:
FORM AUTH_CHECK USING UCOMM AUTH_ERR.
AUTH_ERR = 0.
IF ( UCOMM <> 'END' ) AND
( UCOMM <> 'BACK' ) AND
( UCOMM <> 'ABBR' ) AND
( UCOMM <> 'WPDI' ) AND
( UCOMM <> 'CPU' ) AND
( UCOMM <> 'USER' ) AND
( UCOMM <> 'REFR' ).
AUTHORITY-CHECK OBJECT 'S_ADMI_FCD'
ID 'S_ADMI_FCD' FIELD 'PADM'.
IF SY-SUBRC <> 0.
MESSAGE S433.
AUTH_ERR = 1.
ENDIF.
ENDIF.
ENDFORM. "AUTH_CHECK
Cheers,
Julius
02-05-2009 12:49 PM
Does the trace not work in your system?
Anyway, forget about the tcode....
What you are looking for is:
FORM AUTH_CHECK USING UCOMM AUTH_ERR.
AUTH_ERR = 0.
IF ( UCOMM <> 'END' ) AND
( UCOMM <> 'BACK' ) AND
( UCOMM <> 'ABBR' ) AND
( UCOMM <> 'WPDI' ) AND
( UCOMM <> 'CPU' ) AND
( UCOMM <> 'USER' ) AND
( UCOMM <> 'REFR' ).
AUTHORITY-CHECK OBJECT 'S_ADMI_FCD'
ID 'S_ADMI_FCD' FIELD 'PADM'.
IF SY-SUBRC <> 0.
MESSAGE S433.
AUTH_ERR = 1.
ENDIF.
ENDIF.
ENDFORM. "AUTH_CHECK
Cheers,
Julius
02-09-2009 10:17 AM
Dude,
Thanks for the reply, however, I didn't really get what was that all about. The code that you gave, I was not able to make out as to how am I suppose to use that code. So I figured out my own way out of this. When you create a role using PFCG transaction, do not use SAP_ALL profile. Add the transaction SM50 manually in the Auth object S_TCODE, Then Use the Authorization class AAAB which take care of all the Cross Application Authorization objects, and add an auth object S_SPI_AUTH. Add 03 in the Activity with which you can only display the Work processes.
Anyways I atleast appreciate you replying.
Thanks for you help...
Regards,
Sreekul Nair.
02-09-2009 11:17 AM
You don't need to use that code, the system uses it when you try to perform "process administration functions" in the system.
So, by not granting authority for the object checked in the standard coding above, your user would not be able to perform this function regardless of their tcode.
Generally, it is better to use the menu and set objects to "Inactive" (or tweak SU24) than to insert manual authorization instances. This way, other people will understand what you have done and why.
Cheers,
Julius
02-09-2009 12:34 PM
Dude,
you're name should Indeed be Genius, than Julius....
Thankz for the reply, you ought to get more points..
bye.
Take care...
Sreekul nair.
02-09-2009 8:47 PM
Actually, I prefer "Guru"...
So how did you solve it? I thought we were just getting started...
Cheers,
Julius