06-04-2009 6:59 AM
Dear All,
We are facing a problem in our implementation. We have developed a Custom Program an in that we are using a BDC of Transaction FB60. However, the requirement is that if the user wants to run T.Code FB60 from SAP GUI straightaway; he/she should be stopped doing it. But if he/she uses that Custom Program (Z-Program), it should not stop them.
Does anybody have the idea as to how the Authorization strategy can be devised for this kind of issue?
Thanks,
Shalin Shah
06-04-2009 7:22 AM
Hi Shalin,
Don't assign user the transaction code FB60 (S_TCODE should not have FB60). This will prevent the user to run the FB60 directly, however, you will have to add the required authorization objects manually so that the BDC program runs. (a quick authorization trace (ST01) would give you the auth objects checked)
SU24 for FB60 : these should be added manually to user's roles.
F_BKPF_BEK
F_BKPF_BES
F_BKPF_BLA
F_BKPF_BUK
F_BKPF_GSB
F_BKPF_KOA
F_FAGL_SEG
Cheers !!
Zaheer
06-04-2009 7:22 AM
Hi Shalin,
Don't assign user the transaction code FB60 (S_TCODE should not have FB60). This will prevent the user to run the FB60 directly, however, you will have to add the required authorization objects manually so that the BDC program runs. (a quick authorization trace (ST01) would give you the auth objects checked)
SU24 for FB60 : these should be added manually to user's roles.
F_BKPF_BEK
F_BKPF_BES
F_BKPF_BLA
F_BKPF_BUK
F_BKPF_GSB
F_BKPF_KOA
F_FAGL_SEG
Cheers !!
Zaheer
06-05-2009 3:24 PM
Hi Zaheer,
Can u explain how did you find the authorization check mentioned for the transaction FB60. please provide me the steps if possible.
Shalin,
Zaheer steps are fine, and aslo try removing the authorization FB60 for that particular user and then run the program in user login and find the failing authorization values using SU53 and assign it to the user hope this will help u.
Regards,
Venki
06-05-2009 3:47 PM
@Venki : That was just the SU24 dump for the transaction FB60.
@Shalin : I re-read your question, seems like users have the roles assigned to them which allows them to user the Z program (BDC) for FB60, then you can take some screenshot/snaps of the existing role and remove the FB60 transaction and then manually add back the auth objects removed because of FB60 removal. So you will not have to re-invent the wheel...
Cheers !!
Zaheer