Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP tables with &NC& Auth Group.

Former Member

‎03-06-2009 9:46 PM

0 Kudos

In SAP there are about 7000 plus tables with &NC& Auth Group.

Are all these tables not financial relevant.

What is the impact if we change these tables auth group to custom auth groups?

7 REPLIES 7

Former Member

‎03-06-2009 10:32 PM

0 Kudos

Financial relevance I cannot say and I would guess that you wont find out without doing the hard of analysing work but an initial pointer is that SAP put sensitive tables in groups for this very reason so for example FC31 contains some financial critical tables, they would not be in &NC&.

If you change the table groups you will need to update any authorisations which are relative, for example if a program is checking S_TABU_DIS for Table ABCD123 and its auth group is Z123 then that person needs this authorisation in their profile/role.

Ash

Former Member

‎03-06-2009 11:59 PM

0 Kudos

On their own they might not be finance relevant, but might even be system relevent for that matter.

&NC& means "Not Classified" hich should be understood as "no intention to display and or change them from the application layer" as their single fields on their own are not usefull or inconsistent.

The bugger is that if developers don't understand this and security folks don't respect it, then because of one single table you might open access to all other unclassified tables (depending on how they are designed in the Data Dictionary and how they are accessed).

I have seldom seen a SAP system which got this right, primarily because of the developers (also the ones from SAP).

Yes, you can change the groups is SE54. But report it to SAP and keep track of which SP level introduces the new check value. Try to obtain that information from them in advance if you need to, and check that it is conceptually consistent with your concept (minimum requirement is that it should not be conceptually inconsistent with other SAP standard concepts).

If this is a topic for you and delivery classes also play a role, then also search OSS for the term "Current Settings". These give you more options - for specific objects.

Cheers,

Julius

Former Member

‎03-09-2009 6:55 PM

0 Kudos

Hi,

Changing the SAP default tables to some other authorization group may even unstable the system. Better way is not do any changes to it, If there are any new customer tables (z tables) please create new authorization groups and add them to the respective ones.

Regards,

Gowrinadh C

Former Member
In response to Former Member

‎03-10-2009 10:50 AM

0 Kudos

> Changing the SAP default tables to some other authorization group may even unstable the system.

Can you please point me to a reliable source where you have this information from?

To me this sounds like an urban legend.

Cheers,

Julius

Former Member
In response to Former Member

‎03-10-2009 2:12 PM

0 Kudos

Julius

good question, The ONLY purpose for SAP Authorisation Groups for tables is to limit access in S_TABU_DIS

So do not listen to horror stories and assign or reassign the authorisation groups to tables as you like and control table access that way in your roles!

There is only one rule in this part of the Game never give access to &NC&

Former Member
In response to Former Member

‎03-10-2009 4:07 PM

0 Kudos

In our implementation we have changed auth groups from &NC& to other values, and it didn't had any impact on stability. However, we were able to restrict many tables.

I agree, &NC& should be avoided in roles (field value)

Cheers !!

Zaheer

Former Member
In response to Former Member

‎03-11-2009 9:05 AM

0 Kudos

Hi all,

thanks for letting me know.

Regards,

Gowrinadh