Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Custom TCODE-Auth Object Assignment

Go to solution
Former Member

‎06-08-2009 5:55 PM

0 Kudos

Hello All- I see a very weird thing with custom TCODE assignment, here is what I see:

1)We have Display role which has all functions tcodes in it, which goes to every one on PRD.

2)Usually we assign custom tcodes which are not critical to this role, and this custom tcode would have no auth objects assigned or checked during access.

3)When I assign custom tcode to test role, I see its not pulling auth objects in PFCG which is what I expected.

***4)However when I assign this custom tcode to 'Display role' which have many standard tcodes in it, I see many of the auth objects "lights turning in to Yellow" (as you know its asking me to maintain value)

5)I checked in SU24/SU22, to see if its pulling any auth objects...no objects are tied to this tcode.

I dont know why this is happening?

Again if I assign to test role, no objects is showing up in PFCG which is what I want!

Any suggestions of to handle this issue, I will really appreciate your thoughts.

Thanks,

AJ

1 ACCEPTED SOLUTION

Go to solution
sdipanjan
Active Contributor

‎06-08-2009 6:17 PM

0 Kudos

>

> Hello All- I see a very weird thing with custom TCODE assignment, here is what I see:

> ***4)However when I assign this custom tcode to 'Display role' which have many standard tcodes in it, I see many of the auth objects "lights turning in to Yellow" (as you know its asking me to maintain value)

> 5)I checked in SU24/SU22, to see if its pulling any auth objects...no objects are tied to this tcode.

>

> I dont know why this is happening?

>

> Again if I assign to test role, no objects is showing up in PFCG which is what I want!

>

This is happening not because of the Custom TCodes you have added. The reason are either of the following:

1. In previous cases when some other TCodes (SAP Standard) were added, the the profile regeneration was not carried out by entering Authorization data through "Expert Mode for Profile Generation" (or used with option "Edit Old Status" only). Instead, "Change Authorization Data" was used. And thus the Object proposals for New entries in Menu were not pulled into Profile Generator at that time. Now it's coming. Surely you entered with Expert Mode for Profile Generation --> Read Old status and Merge with New data.

2. Other option can be: Earlier some Objects were changed which were present there only with "Standard" status. It should have been done by copying the Object and change the copied one. Then make the standard one "Inactive".

3. The Inactive Object described in the 2nd point has been Deleted and the object with status "Changed" is left only. Now when you are entering with "Expert Mode for Profile Generation" it's pulling those standard proposals again.

Let me know if the probable reason of Yellow traffic lights are clear to you or need more details.

Regards,

Dipanjan

4 REPLIES 4

Go to solution
sdipanjan
Active Contributor

‎06-08-2009 6:17 PM

0 Kudos

>

> Hello All- I see a very weird thing with custom TCODE assignment, here is what I see:

> ***4)However when I assign this custom tcode to 'Display role' which have many standard tcodes in it, I see many of the auth objects "lights turning in to Yellow" (as you know its asking me to maintain value)

> 5)I checked in SU24/SU22, to see if its pulling any auth objects...no objects are tied to this tcode.

>

> I dont know why this is happening?

>

> Again if I assign to test role, no objects is showing up in PFCG which is what I want!

>

This is happening not because of the Custom TCodes you have added. The reason are either of the following:

1. In previous cases when some other TCodes (SAP Standard) were added, the the profile regeneration was not carried out by entering Authorization data through "Expert Mode for Profile Generation" (or used with option "Edit Old Status" only). Instead, "Change Authorization Data" was used. And thus the Object proposals for New entries in Menu were not pulled into Profile Generator at that time. Now it's coming. Surely you entered with Expert Mode for Profile Generation --> Read Old status and Merge with New data.

2. Other option can be: Earlier some Objects were changed which were present there only with "Standard" status. It should have been done by copying the Object and change the copied one. Then make the standard one "Inactive".

3. The Inactive Object described in the 2nd point has been Deleted and the object with status "Changed" is left only. Now when you are entering with "Expert Mode for Profile Generation" it's pulling those standard proposals again.

Let me know if the probable reason of Yellow traffic lights are clear to you or need more details.

Regards,

Dipanjan

Go to solution
Former Member

‎06-08-2009 7:01 PM

> 1)We have Display role which has all functions tcodes in it, which goes to every one on PRD.

Design error...

> 3)When I assign custom tcode to test role, I see its not pulling auth objects in PFCG which is what I expected.

Also design error...

... in your concept!

You should use a carefull choice of transactions to derive authority from the menu of the role.

Creating a "Display all role for all functions and for all users" is the single most biggest security design error you can make in an authorization concept.

Probably you will next be asking for S_TCODE checks at every 3rd line of code in the system...

And after that you will start locking tcodes in SM01...

Foolish...

Go to solution
Former Member
In response to Former Member

‎06-17-2009 6:02 PM

0 Kudos

Julius - I agree with you, our roles have many design issues and these roles were created years ago with little security experience. Now that Display role has grown big and most of the business roles share auth. from this role its getting really hard for me to break as users are getting impacted with auth.

I think Dipanjan is correct in thoughts too, I think I should do some more testing on his thoughts to see where i am missing.

I will get back to you guys with my testing result and questions.

Go to solution
former_member701183
Active Participant

‎06-15-2009 11:44 AM

0 Kudos

Hi,

Either you change the role design as mention by Julius or check whether the auth objects that are being pulled into the system are new objects or repeatation of the already present authorization object. I am sure the new objects that are pulled in are repeatations and hence just inactivate and delete those objects. It wont create problem. Please check and let me know if any issue.

Regards

Aveek.