Solved: Assign authorization group to Standard tables

Former Member · ‎05-31-2009

Hi All,

I would like to know if we can assign authorization group to Standard SAP tables. I know that we assign auth groups to SAP tables but I didn't find any official information on SAP sites about this. Can anybody help me with this?

Regards,

Prasad

Former Member · ‎05-31-2009

<copy_and_paste_removed_by_moderator>

Edited by: Julius Bussche on Jun 1, 2009 8:15 AM

Former Member · ‎05-31-2009

<copy_and_paste_removed_by_moderator>

Edited by: Julius Bussche on Jun 1, 2009 8:15 AM

Former Member · ‎05-31-2009

Thanks Rishi for answer.

I have read that page from SAP Help but that does not say anything about Standard SAP table. It can be a custom table. I want to know whether SAP supports assignment of auth groups to Standard SAP tables without authorization groups or do they prefer to keep it as %NC%?

Regards,

Prasad

Former Member · ‎05-31-2009

<copy_and_paste_removed_by_moderator>

Edited by: Julius Bussche on Jun 1, 2009 8:15 AM

Former Member · ‎05-31-2009

Sorry Rishi, but this only talks about security implementation with S_TABU_DIS object. It doesn't say anything about assignment of auth groups to standard tables.

Regards,

Prasad

Former Member · ‎06-01-2009

%NC% means "Not Classified" - so there is no intention to view the data in the table directly via a view.

If you create a view / maintenance dialog for the table(s) or there is one, then it makes sense to assign it to an appropriate authorization group which does not cause a conflict with other tables in the same auth group.

If there is one, it is best to report it to SAP to add the auth group or change it if the reasons are valid.

If the change would not be valid for all customers, SAP gives you the possibility to change the auth group in your own system landscape using SE54 - also those of SAP Standard Tables.

There are even some SAP notes which suggest changing the table group to achieve more granular checks.

Cheers,

Julius

Former Member · ‎06-01-2009

Thanks a lot Julius for answer. Can you pls provide me such note no. or link to any SAP website which says so?

Edited by: Prasad Musale on Jun 1, 2009 12:34 PM

Former Member · ‎06-01-2009

An example would be in [SAP Note 1237762|https://service.sap.com/sap/support/notes/1237762] bullet # 3 - you can maintain the auth group of the hash tables using SE54.

This is not the same as a modification. SAP even provides tools and a concept for customer versions of program auth groups. For tables though, the tools are not as developed so keep a record of what you change or a copy of TDDAT table.

Cheers,

Julius

Former Member · ‎06-01-2009

Thank you very much for information, Julius.

I also got one note 1326850 - TDDAT: Authorization Group missing for PD tables. So now I can conclude that SAP allows assignments of custom auth groups to standard tables.

Best Regards,

Prasad

Former Member · ‎06-01-2009

Another indicator to this is that transaction SUCU is obsolete in higher releases and tells you to use SE54.

So this is SE54 development work (S_DEVELOP and system / client change settings) and should be transported, but an object key from SAP is not required nor is there a namespace check in the view to TDDAT.

Cheers,

Julius