Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Effect of roles on Authorization Object creation

Former Member
0 Kudos

Hi All,

I have a requirement to give the Display access for a particular trasnaction, say "A" to set of users.

For this, I have maintained the display activity codes in the authorization object (say, "B") asociated with that t-code "A" but there are other t-codes in the same single or different single roles of that particular composite role to which this authorization object is associated. Hence, users are not able to use the change rights for such other t-codes.

To overcome this, I am planning to create a new authorization object (ex- "C") for this t-code "A" and and remove the link of "B" with "A". My question is, If I do this change then will the new authorization object "C" will be reflected in all the existing roles containing "A" ?

Any other suggestions for this are also invited.

Thanks in Advance.

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Hi,

You need to link the new object "C" with Tcode "A" in SU24. And then you need to modify the roles having access to the Tcode A through PFCG -->"Expert Mode" , read and merge old data. This will pull the new object "C" which you have created. After this generate the role and then transport them to the destination.

Hope this helps.

10 REPLIES 10

jurjen_heeck
Active Contributor
0 Kudos

I think you're better off describing the actual problem instead of making it hypothetical.

Knowing which transactions an object(s) you're dealing with makes it a lot easier to answer.

0 Kudos

Hi All,

The t-code in question is FBL1N and the authorization object is F_BKPF_KOA. As per my requirement, I need to provide the display access to FBL1N but if we check in SU24, there are many other t-codes associated with F_BKPF_KOA (such as FBWE, FBWD, FBZ0.FBZ1...) .

I have given the display activity code in role containing FBL1N but user needs change rights for other t-codes (associated with F_BKPF_KOA) which are present in other single roles of composite role (asigned to user). Due to this, user is able to make changes in FBL1N also.

Can you please let me know if I can make the changes as given in my previous post and will it affect all the existing roles containing FBL1N?

Please let me know if there are any other ways to achive this.

Thanks.

Santosh

0 Kudos

If the users need F_BKPF_KOA with more than display rights and you do not want them to do anything but display in FBL1N I think you have two options:

1 - look for user exits in the FBL1N source and see if you can implement extra authroization checks.

2- Create a variant transaction of FBL1N for which switching to change mode is impossible, regardless of undderlying authorizations. Take FBL1N from your roles and replace with the created transaction.

>Can you please let me know if I can make the changes as given in my previous post and will it affect all the existing roles containing FBL1N?

This I do not understand. First we have to work out which changes need to made exactly.

0 Kudos

> Can you please let me know if I can make the changes as given in my previous post and will it affect all the existing roles containing FBL1N?

That is why it is tempting to create a Z-object and add even more code.... --> so that you don't have to change many existing roles who's design is possibly the root cause of the problem.

You end up creating a Z-object for each view and every org. element and eventually a role per user if you follow that route.

> I have given the display activity code in role containing FBL1N but user needs change rights for other t-codes (associated with F_BKPF_KOA) which are present in other single roles of composite role...

Then compare the transaction and not do a where-used-list on the object. Look for an object which will give you this granularity if F_BKPF_KOA is too general and consider even using the "No Check" option in SU24 (after considering that it might have consequences for the other transactions which you use).

Often, a more carefull selection of the transaction code to use can solve the problem. Talk to your functional guru about it and whether the value in the "account type" field is the problem. For example, if it is a "logistical event" then you might want to consider a "logistics" transaction or even an automatic matching and clearing option.

Cheers,

Julius

Edited by: Julius Bussche on Dec 15, 2009 10:27 PM

0 Kudos

You may also want to do a trace in order to see if a different transaction is called in when using FBL1N. I think the only change capabilites with this transaction is to header data. If they are trying to make a change in this transaction, beyond the header data, it might actually be calling in another transaction. By controling who has access to that transaction might be another route.

Former Member
0 Kudos

Hi,

You need to link the new object "C" with Tcode "A" in SU24. And then you need to modify the roles having access to the Tcode A through PFCG -->"Expert Mode" , read and merge old data. This will pull the new object "C" which you have created. After this generate the role and then transport them to the destination.

Hope this helps.

0 Kudos

> You need to link the new object "C" with Tcode "A" in SU24. And then you need to modify the roles having access to the Tcode A through PFCG -->"Expert Mode" , read and merge old data.

And all this will work without adapting the source code? Magic!

0 Kudos

I also agree with Juren. Please list the actual Tcode and Object through which you are trying to restrict it. It can help us in analyzing your issue in a better way.

0 Kudos

Hi Jurjen,

Santosh already mentioned :

"I am planning to create a new authorization object (ex- "C") for this t-code "A" and and remove the link of "B" with "A"."

This can only be done by modifying the source code. Hence I have assumed that the above change is already in place before suggesting SU24 changes to Santosh. Please do correct me if I am wrong.

Thanks.

0 Kudos

> Hence I have assumed that the above change is already in place before suggesting SU24 changes to Santosh.

I was afraid that bit was overseen. Happens a lot. No personal offence meant