Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Restricting the addition of an authorization object & transaction to a role

former_member270360
Participant

‎12-14-2009 8:14 PM

0 Kudos

Dears,

Is it possible to restrict the addition of an authorization object or a transaction code to a SAP authorization role ?

In other words, is it possible to impose authorization on authorization objects or transaction codes, so that only the authorized user can add them to a SAP authorization role ?

Thanks.

Reda

6 REPLIES 6

Former Member

‎12-14-2009 8:19 PM

0 Kudos

Auth objects starting with S_USER* like S_USER_TCD, S_USER_VAL, S_USER_OBJ are your best bet. Configure them properly in the roles for the users whom you want to restrict with the addition of t-code or auth object.

Former Member

‎12-14-2009 8:24 PM

0 Kudos

Hi Reda,

Yes you can place the restriction on users to insert certain Tcodes/Objects/Field Values to the roles. One of the example is object: S_USR_TCD which restricts a user to add Tcodes to the Role. Similar example is S_USER_VAL.

Please refer to the below link for more details:

http://help.sap.com/saphelp_nw70/helpdata/en/ce/17533e5ff4d064e10000000a114084/content.htm

Do let us know if you need any more information on this.

former_member270360
Participant
In response to Former Member

‎01-24-2010 3:39 PM

0 Kudos

Hello sap.sec.akshay,

Please consider the following :

The basis administrator who will be responsible for granting / revoking authorization for the common SAP modules : FI, MM, SD & CS will have to have all the role names and transaction codes related to the previously mentioned SAP modules individually added to authorization fields : ACT_GROUP (Role name) and TCD (Transaction code) of authorization objects : S_USER_AGR & S_USER_TCD respectively, and this to prevent adding an '' (All values) to those fields, because the '' in the previously mentioned fields will constitute a caveat in the required SAP authorization schema (e.g. securing the roles and transaction codes related to the HR module)

Kindly feedback.

Thanks.

Reda

Former Member
In response to Former Member

‎01-24-2010 10:14 PM

0 Kudos

Hi Reda,

I didnt get your question ? Can you elaborate.

Warm Regards,

Rajesh

Former Member
In response to Former Member

‎01-25-2010 3:08 AM

0 Kudos

Hi Reda,

Yes, the situation is really complicated one but not impossible if your role naming conventions clearly signifies the module of which the roles belong too..

For example:

Finance Module roles:

Z_FI_PLANT_ACT

Z_FI_TAX_AUDITOR

In such cases you can easily put Z_FI* in ACT_GROUP (Role name) of S_USR_AGR. Adding Tcodes to TCD (Transaction code) can also be handled in a similar way. For example MM* for MM related tcodes.

However if you also want to put the restriction in field values than you can make use of S_USR_VAL to the certain extent.

Let us know if you need any more information on this.

former_member270360
Participant

‎01-24-2010 3:21 PM

0 Kudos

Re-opening the question due to the arising of a new point related to the relevant discussion of the question