Solved: Not able to restrict User on some tables

Former Member · ‎05-05-2009

Hi All,

I have created a user on SU01 and i have maintained role from pfcg.I have created default profile also.

When I am trying to change roles they are many Authorization Objects list .When i gave full access to this Authorization Objects .

but still in my new user, i am not get access to Execute any table.i can display all tables but not able to execute.I did user comparision also.when i am giving Profile as SAP_ALL its exectuing all tables.

My aim is to restrict the all tables except MM for this user.

Is these Objects i have to change? ( from Forum i got this information)

1.Cross-Client Table Maintenance

2.Table Maintenance (via standard tools such as SM30)

3.Authorization for Organizational Unit

In change role what changes i have to do ? and which Authorization Objects are used to restrict the tables like SD and HR .

Regards,

Madhu

jurjen_heeck · ‎05-05-2009

> 1.Cross-Client Table Maintenance

S_TABU_CLI doesn't look to be neccesary unless the table you want to maintain is cross-client. MM tables generally aren't.

> 2.Table Maintenance (via standard tools such as SM30)

S_TABU_DIS should be filled with the authorization group for the tables you want to allow. see below as well.

> 3.Authorization for Organizational Unit

Which object do you mean here?

> In change role what changes i have to do ? and which Authorization Objects are used to restrict the tables like SD and HR .

You shouldn't think in terms like 'restricting'. SAP security is all about allowing. You want to allow table editing through object S_TABU_DIS by granting activities 01 and 02 for the appropriate authorization group. To find the authorization group you can have a look in table TDDAT, field CCLASS. I suspect you'll need to fill this with "MM".

With which transaction do you want this table maintenance to happen?

jurjen_heeck · ‎05-05-2009

> 1.Cross-Client Table Maintenance

S_TABU_CLI doesn't look to be neccesary unless the table you want to maintain is cross-client. MM tables generally aren't.

> 2.Table Maintenance (via standard tools such as SM30)

S_TABU_DIS should be filled with the authorization group for the tables you want to allow. see below as well.

> 3.Authorization for Organizational Unit

Which object do you mean here?

> In change role what changes i have to do ? and which Authorization Objects are used to restrict the tables like SD and HR .

You shouldn't think in terms like 'restricting'. SAP security is all about allowing. You want to allow table editing through object S_TABU_DIS by granting activities 01 and 02 for the appropriate authorization group. To find the authorization group you can have a look in table TDDAT, field CCLASS. I suspect you'll need to fill this with "MM".

With which transaction do you want this table maintenance to happen?

Former Member · ‎05-05-2009

If i gone through se11 or se16 ..i have to execute only MM tables (Authorisation Group MA) only.For HR and other tables it has to give no authorisation message.This is my requirement.

Madhu

jurjen_heeck · ‎05-05-2009

> If i gone through se11 or se16 ..i have to execute only MM tables (Authorisation Group MA) only.For HR and other tables it has to give no authorisation message.This is my requirement.

In that case you should enter only MA in the field DICBERCLS of object S_TABU_DIS and 02 in the ACTVT field.

Make sure your user does not have any other roles with wider access because, as I said before, it is all about allowing, not about restricting. There is no way you can take away existing rights by adding new roles.

Former Member · ‎05-05-2009

Hi Jurjen Heeck ,

I got the solutions...

Thanks...