Solved: Restricting transactions

Former Member · ‎12-10-2009

We have list of Z Transaction codes(customized) for various modules in SAP R/3.

These customized transaction are either of the following:

1)Z transaction calling a Z program. OR

2)Z transaction which is customized SM30 tx for a particular table (build using se93)

3)Z transaction which is customized SE16 tx for a particular table (build using se93)

Also there are more than one company codes maintained.

Some of these z transaction are common to all the company codes.

So some of these Z transaction show data related to all company codes.

Requirement is ensure that when any USER executes common Z transaction , USER should only allowed access the data of company code the user belongs..

Please let me the approach to achieve the same.

Former Member · ‎12-14-2009

Hi,

we have been solved the problem like yours in our company on the beginning of going live several years ago.

our solution is :

- ABAP create Z-program (should be done on your side), in example ZTEST

- BASIS create Z-authorization object via SU21, containing BUKRS field. another field may ACTVT to limit specific activity for particular user. in example Z_BUKRS with field ACTVT and BUKRS.

- ask ABAP to insert our new Z-authorization object on their program, so that everytime Z-program is executed, Z-programs (ZTEST) will automatically check value from Z-authorization object (Z_BUKRS).

- from transaction SU24, make a mapping between Z-program (in this example ZTEST) and Z-authorization object (in this example Z_BUKRS), so that everytime you attach this Z-program (ZTEST) to a role, Z-authorization object (Z_BUKRS) will automatically loaded in PFCG (you don't need to "add manually")

- maintain permissible value on PFCG as usual.

hope it help you,

rgds,

Alfonsus Guritno

Former Member · ‎12-10-2009

Most folks start a BW project sooner of later...

Former Member · ‎12-10-2009

Hi Ajit,

You can ask a developer to make the Z program such that it searches for the company code at run time.

It will then show the data for the company codes the user has access to and for other records it will show no authorizations.

You got to have the check in the program.

Rajesh

Former Member · ‎12-14-2009

Hi,

we have been solved the problem like yours in our company on the beginning of going live several years ago.

our solution is :

- ABAP create Z-program (should be done on your side), in example ZTEST

- BASIS create Z-authorization object via SU21, containing BUKRS field. another field may ACTVT to limit specific activity for particular user. in example Z_BUKRS with field ACTVT and BUKRS.

- ask ABAP to insert our new Z-authorization object on their program, so that everytime Z-program is executed, Z-programs (ZTEST) will automatically check value from Z-authorization object (Z_BUKRS).

- from transaction SU24, make a mapping between Z-program (in this example ZTEST) and Z-authorization object (in this example Z_BUKRS), so that everytime you attach this Z-program (ZTEST) to a role, Z-authorization object (Z_BUKRS) will automatically loaded in PFCG (you don't need to "add manually")

- maintain permissible value on PFCG as usual.

hope it help you,

rgds,

Alfonsus Guritno

Former Member · ‎12-14-2009

Thankyou all for the valuable suggestion..

Will try to work out on those ...

Edited by: Ajit Nadkarni on Dec 14, 2009 4:30 AM

Former Member · ‎12-14-2009

When "looking", you might want to consider (re)using a standard auth object with those fields instead of creating yet another one to administrate.

Anyway, these sort of table level reporting topics are best suited for a BW system...