Solved: Role based restrictions

Former Member · ‎12-15-2009

Hi

We are having two role for t code FBL1N and T code F.02

Role 1`: Z:FI:FBL1n containing t code fbl1n with authorization group as VND in authoirzation object F_lfa1_bek

Role 2 : Z:FI:F.02 containing t code F.02 with authoirzation group as EMP in authoirzation object F_LFA1_BEK

Now the question is when the user exceutes fbl1n he can easiy access the documents of authorization Group EMP also though he was authorized for VND group only and vice versa with F.02

so i just need to know if we are creating two separte roles for differnt t codes with different restrictions then why the system picks both the values of same authoirzation object which is present in the roles?

How can we restrict the users on the basis of roles ? Because common authoirzation objects in both the roles ( ex : F_LFA1_bek )are taking all the values ( Emp / VND ) from the roles into which it is present.

Regards

Shilpa

Former Member · ‎12-15-2009

Dear Shilpa,

That is exactly how SAP works. It is because of the reason that "Roles" are just like containers for the authorizations that are present in a user profile. It is nothing more than that. Seperating the authorizations in different roles won't help to restrict the authorizations.

Regards,

Lakshmi.

Former Member · ‎12-15-2009

Dear Shilpa,

That is exactly how SAP works. It is because of the reason that "Roles" are just like containers for the authorizations that are present in a user profile. It is nothing more than that. Seperating the authorizations in different roles won't help to restrict the authorizations.

Regards,

Lakshmi.

Former Member · ‎12-15-2009

Hi

Its like that then how can i restrict my users ?

Regards

Shilpa

Former Member · ‎12-15-2009

Then how can i restrict my users ?

Former Member · ‎12-15-2009

You have a few options:

- Accept the risk

- Segregate the access to different users

- Extending the auth checks in F.02 and FBL1N to incorporate additional validation.

If you spend some time with your dev team they will be able to tell you if there are appropriate user exits/enhancement points etc that can be used.

Former Member · ‎12-15-2009

Hi Shilpa,

In SAP, users are restricted by means of authorization object.

If you want to assign the authorization group EMP and restrict VND from user1, create a role with the required TCODE and only the required group (EMP). If the user receives the authorization group from any other auth: object he will be able to access the document.

Regards

Dona

Former Member · ‎12-15-2009

Hi Dona,

I believe that the problem is when the roles are combined - in that case you will have EMP + VND access for the same auth object in the user buffer.

Former Member · ‎12-15-2009

Hi Alex,

Would you mind detailing about the user exit and additional checks you are talking about because once the tcode is run check is made for auth object in all the roles and it picks all the values irrespective of role.

My Abap team could not tell me. So turning to you for details.

Rajesh

Former Member · ‎12-15-2009

Hi Rajesh,

SAP provides user exits/enhancement points/BADI's etc that all let you add additional code into programs without changing standard SAP programs.

Not all transactions/programs have them and those that do don't always have them in the right place.

What this gives us the opportunity to do is insert additional authorisation checks based on our required logic.

In this case, it may be possible to perform an additional check on a custom auth object that contained 2 fields - one for tcode, one for auth group. When the transaction is executed, an additional check is performed to check that the user has authorisation for the tcode + the auth group. Without the authorisation the check would fail and the transaction would not progress This way your user could only run FBL1N for EMP and F.02 for VEN.

The above example is not a good one & only meant as an illustration to show what you could potentially do.

Former Member · ‎12-15-2009

Hi Rajesh,

All Tcodes usually have user exits associated with them. (Usually more than one). These are meant for usage at different stages in a transation. If there is one which is instated as per your requirment need you could use it to have an Authority-Check programmed in that.

Regards,

CP

Former Member · ‎12-15-2009

Hi CP,

Not all t-codes have exits or ep's unfortunately.

In those situations we have to look at the alternatives.

Former Member · ‎12-15-2009

You are absolutely right! What i wanted to say was that "usually they will" in those cases we can use a one that is more relevant for us.. otherwise user exit is not the option...

Best Wishes,

CP

Former Member · ‎12-16-2009

Thanks Alex

Former Member · ‎12-15-2009

If you are going to choose your transactions and tasks for the user like this, then the easiest thing to do is to train them to use the correct transaction for the correct group (or even set the value via a variant to show the preference) and then periodically do a quick check of the transaction data to verify that the correct transaction was also used.

These sorts of detective controls are often usefull to mitigate a preventative control which would mean turning the system inside out, etc

Cheers,

Julius

Former Member · ‎01-06-2010

thx