Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Allowed activities per object?

Go to solution
jurjen_heeck
Active Contributor

‎02-16-2009 8:24 AM

0 Kudos

All,

I am in the process of creating objective criteria to check whether roles which are designated to be 'read-only' do not hold any modification rights.

This means I'll at least have to go through all objects with an ACTVT field (as well as objects with CO_ACTION, SPOACT, AUTHC, PPFCODE etc, etc) quite a daunting task.....

Now the vast majority of activity fields are called ACTVT an the grand total of activities is in table TACT.

Is there any way to determine which actvities are allowed/valid for which object, without having to open each object (400+) in SU21?

That knowledge would narrow down my search tremedously.

Thanks in advance!

Jurjen

1 ACCEPTED SOLUTION

Go to solution
Bernhard_SAP
Advisor
Advisor

‎02-16-2009 1:16 PM

Hi Jurjen,

please have a look at table TACTZ.....

b.rgds,

Bernhard

7 REPLIES 7

Go to solution
Bernhard_SAP
Advisor
Advisor

‎02-16-2009 1:16 PM

Hi Jurjen,

please have a look at table TACTZ.....

b.rgds,

Bernhard

Go to solution
jurjen_heeck
Active Contributor
In response to Bernhard_SAP

‎02-16-2009 1:33 PM

0 Kudos

Silly me. How could I miss that one.

Oh, well, plenty of other activity fields with names other than ACTVT to go through.....

Thanks so far!

Go to solution
Former Member
In response to Bernhard_SAP

‎02-16-2009 10:21 PM

0 Kudos

Hi Jurjen,

I understand that your specific question is answered, but wanted to add a few comments as you appear to be building a prototype for display all role. I have also built a few and there are some "gotchas" to be aware of and some usefull tricks. Although we flame these questions when they are asked in a stupid way, there is a real need "in the wild" for it, as the alternatives are worse (in my opinion).

First of all, SAP themselves abolished their own "display all" standard access in release 46C. I assume that one of the reasons for this was release dependency. Such a role would require a regeneration mechanism like SAP_NEW has, and that is not possible without a complete code scan and re-engineering of functionality each time (or some way to extract authorization fields from perfect documentation...).

The bugger is that ACTVT values (and the other "action" type of fields of other objects) on their own are dependent on other fields of the same object which interpret then differently.

For example, single testing a function module (actvt = 16 for object type FUGR of S_DEVELOP) in SE37 etc is different to single testing a program (actvt = 03 for object type PROG of S_DEVELOP) in SE38 which in turn is different to single testing a method in SE24 (if the class is public, then you can access it from anywhere). All of them are "execute" (click on F8)... but execute what?

Other objects only (consistently) offer execute as an ACTVT, and other field values will determine whether it is display or not. S_RFC is an obvious example, but S_C_FUNCT is another where you determine the "action" type of the execute activity by defining the program context for the call and in some cases even the function name which can be called from that program. But for a display role, you would most likely need the object for the role to work...

And then there is S_PROGRAM as well, and variants (which might later run under the contexts of users with more authority) and some obscure values which are not in TACTZ or other check tables / domain ranges which are in the coding somewhere.

As you already mentioned, it is a haunting task. But if you are trying it experimental purposes or for users who only have this role (e.g. auditors...), then I will be happy to share some of my prototypes with you for specific objects.

But I cannot share an entire role in good conscience (see above

Cheers,

Julius

Go to solution
jurjen_heeck
Active Contributor
In response to Bernhard_SAP

‎02-17-2009 7:24 AM

0 Kudos

Thanks for your comments.

Actually I am not trying to design a role but to build a framework outside of SAP that can help determine whether roles are actually display roles. It will also help in training new role administrators.

I know this framework will need continuous maintenance and can never be fullproof.

I intend to list forbidden activities, forbidden objects and maybe even a list if transactions one wouldn't want to find in a display role. At this point I do not know yet how detailed the list will become....

Go to solution
Former Member
In response to Bernhard_SAP

‎02-17-2009 8:14 AM

0 Kudos

Sounds interesting!

Go to solution
jurjen_heeck
Active Contributor
In response to Bernhard_SAP

‎04-17-2023 10:51 AM

0 Kudos

Funny to have the same question 14 years later. Answer still appreciated 🙂

Go to solution
Rajitpatel
Discoverer
In response to Bernhard_SAP

‎04-02-2024 12:23 PM

0 Kudos

This table contains total number of activities available for authorization object but if we want only those activities which is allowed for a authorization object in tcode PFCG.

Refer below screenshots.

IN table tactz total 9 activities but in PFCG only 5 are allowed out of 9.

i want this 5 allowed activities. is there any table ????.

Rajitpatel_0-1712056799229.pngRajitpatel_1-1712056829223.pngRajitpatel_2-1712056875724.png