12-14-2009 8:14 PM
Dears,
Is it possible to restrict the addition of an authorization object or a transaction code to a SAP authorization role ?
In other words, is it possible to impose authorization on authorization objects or transaction codes, so that only the authorized user can add them to a SAP authorization role ?
Thanks.
Reda
12-14-2009 8:19 PM
Auth objects starting with S_USER* like S_USER_TCD, S_USER_VAL, S_USER_OBJ are your best bet. Configure them properly in the roles for the users whom you want to restrict with the addition of t-code or auth object.
12-14-2009 8:24 PM
Hi Reda,
Yes you can place the restriction on users to insert certain Tcodes/Objects/Field Values to the roles. One of the example is object: S_USR_TCD which restricts a user to add Tcodes to the Role. Similar example is S_USER_VAL.
Please refer to the below link for more details:
http://help.sap.com/saphelp_nw70/helpdata/en/ce/17533e5ff4d064e10000000a114084/content.htm
Do let us know if you need any more information on this.
01-24-2010 3:39 PM
Hello sap.sec.akshay,
Please consider the following :
The basis administrator who will be responsible for granting / revoking authorization for the common SAP modules : FI, MM, SD & CS will have to have all the role names and transaction codes related to the previously mentioned SAP modules individually added to authorization fields : ACT_GROUP (Role name) and TCD (Transaction code) of authorization objects : S_USER_AGR & S_USER_TCD respectively, and this to prevent adding an '' (All values) to those fields, because the '' in the previously mentioned fields will constitute a caveat in the required SAP authorization schema (e.g. securing the roles and transaction codes related to the HR module)
Kindly feedback.
Thanks.
Reda
01-24-2010 10:14 PM
Hi Reda,
I didnt get your question ? Can you elaborate.
Warm Regards,
Rajesh
01-25-2010 3:08 AM
Hi Reda,
Yes, the situation is really complicated one but not impossible if your role naming conventions clearly signifies the module of which the roles belong too..
For example:
Finance Module roles:
Z_FI_PLANT_ACT
Z_FI_TAX_AUDITOR
In such cases you can easily put Z_FI* in ACT_GROUP (Role name) of S_USR_AGR. Adding Tcodes to TCD (Transaction code) can also be handled in a similar way. For example MM* for MM related tcodes.
However if you also want to put the restriction in field values than you can make use of S_USR_VAL to the certain extent.
Let us know if you need any more information on this.
01-24-2010 3:21 PM
Re-opening the question due to the arising of a new point related to the relevant discussion of the question