Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Issues with role creation and usage in user accounts

Former Member

‎01-13-2010 8:37 PM

0 Kudos

Dear Gurus,

I have just created a role containing the transactions: SE01 and SE09. This role gives display/release authorization for users while they work on change requests/tasks.

The issue: There are other roles in the Production System which contain the authorization object S_TRANSPRT which in turn have create/delete authorization. Even though they are not meant for giving access to SE01 or SE09, they are required by the functional teams for carrying out changes to customization data.

Due to this reason, a user account containing the role that I have created and the ones which I just described can not be assigned in a single user account since users will get create/change authorization.

Is there any way through which we can tag the authorizations that are given in a role to be limited to the tcodes present in the role itself. In other words, is there a way to prevent other roles overriding the restricted access given through display only roles. I' am looking at a solution for the above situation but nothing is coming up.

Thanks a lot in advance for your suggestions .....

Best Regards,

Shashi kanth Gowda

3 REPLIES 3

mvoros
Active Contributor

‎01-14-2010 2:02 AM

0 Kudos

Hi,

there is no way how can you restrict assigned authorization to some particular transaction. Your questions is basically same as question asked in [this thread|;.

There is a BADI CTS_REQUEST_CHECK which can be used for additional checks for CTS. So you can create a copy of S_TRANSPRT and add new field TCODE which will allow you control access based on transaction code.

Cheers

Former Member
In response to mvoros

‎01-13-2011 8:08 PM

0 Kudos

Thank you ..

Former Member

‎01-13-2011 10:24 PM

0 Kudos

Hi

I would like to highlight an important point:

Authorization object S_TRANSPRT is a critical object. Create and Delete Access should not be give in Production system. Only Display access is to be given. Release Authorization are not given in Production system. Only Development system has Release Access since transport orginates from Development.

If it is only the development team then you can create seperate role for development team only with this object with respective values and give display value to the rest of the folks.

Thanks and regards

Arun R