Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Disable an Authorisation object for Multiple roles.

Former Member

‎05-06-2009 6:07 AM

0 Kudos

Hi ,

I need to Disable an authorisation object F_BKPF_BUP for about 345 roles.Is there any way by which we can make mass changes.Doing it for individual role would take a lot of time.kindly advice.

Thanks in advance

5 REPLIES 5

jurjen_heeck
Active Contributor

‎05-06-2009 8:16 AM

0 Kudos

I do not think there is a standard way of doing this.

How many of those roles are derived roles? Because disabling an object in the parent does also take care of all it's derived roles.

Former Member

‎05-06-2009 9:58 AM

0 Kudos

If the authorizations of F_BKPF_BUP are standard / maintained in the roles, then this would make it possible for you to find the transaction(s) which have pulled it into the roles, and then either remove the transaction or (more likely) remove the proposal in SU24 and then just do a "Read old and merge new" in PFCG.

I can sooner imagine a way of mass merging than doing mass deletions or inactivations on roles.

Cheers,

Julius

sdipanjan
Active Contributor

‎05-06-2009 3:59 PM

0 Kudos

Hi,

1. Go to SE16 --> table USOBT_C --> put object F_BKPF_BUP in the field "Object" --> execute without restriction. Download the list of TCodes.

Now go to Table AGR_TCODES --> put the list of TCodes (found with above method) in the field "Extended name" as multiple selection --> execute and download the list of roles.

Look up your list of 345 roles with this list. After matching, you need to sort out the TCodes present in this list of roles which is checking the object F_BKPF_BUP.

2. Now go to SU24.. go to option "Authorization Object" and NOT in the Transaction section.

Put the Object and execute.... go to change mode.... check the proposals for the TCodes you sorted at last step of point 1. Make the proposal Do Not Check where ever it is not so.

Move the Workbench Transport through Landscape. Your purpose will be done. But you should also keep in mind if the TCodes are present in other roles besides of your 345, those will become vulnerable.

Regards,

Dipanjan

jurjen_heeck
Active Contributor
In response to sdipanjan

‎05-06-2009 4:52 PM

0 Kudos

> 2. Now go to SU24.. go to option "Authorization Object" and NOT in the Transaction section.

> Put the Object and execute.... go to change mode.... check the proposals for the TCodes you sorted at last step of point 1. Make the proposal Do Not Check where ever it is not so.

I think OP is trying to achieve exactly the opposite. By disabling the object in the roles you make sure no one is authorized, by disabling the check everybody is authorized.......

Former Member
In response to sdipanjan

‎05-06-2009 9:50 PM

0 Kudos

Dipanjan did mention that those tcodes would become "vulnerable", and to some extent one can restrict the tcode access (including the navigability...).

But tcodes are only a very general level of security which can often, and mostly with ease, be bypassed. This is particularly true if the user already has some transactions in this application area, or variant transactions have been "sold" as secure, which is an urban legend...

Cheers,

Julius