01-18-2010 6:05 PM
Friends
I am trying to remove OBR1 OTZ1 and OBR3 transactions from Transaction Range that I have for the S_TCODE.
I tried to put below range but user still can execute the above transactions.
OA* OBQ*
OBR2
OBR4 OBY1
OBY3 OTY*
OTZ2 OZZZ*
Any suggestions?
Form
Praveen
01-18-2010 7:04 PM
Think about it....
How would you react to these to options if you were a kernel:
'OA*' to 'OBQ*'
and...
'OA' to 'OBQ*'
Should there be a difference and what is it? This is one of the dangers of 'ranging*' without reading the documentation carefully.
Most likely you will have several other (possibly bigger) problems of the same ilk in your system.
Cheers,
Julius
01-18-2010 7:20 PM
No, It is working now.
User is a Consultant and was given SAP_ALL access.
From
Praveen
01-18-2010 7:27 PM
That was a bit silly of me. I should have known that your consultant had an additional role / profiles.
--> OA to OB... includes all of OA* so makes no difference...
Cheers,
Julius
01-18-2010 10:27 PM
BTW: What happens when the user tries to start a tcode from OBC* or OBD* etc etc... up to OBP*?
Do they now have a reference user...?
02-05-2014 5:09 PM
Hi Julius
I’m having an issue with a value range in a role that not behaves as I think it should (I’m probably wrong…) so I have been surfing a lot to find documentation on how to use ranges, but the search have not been successful 😞
In this reply you mention documentation – any chance you can guide me to that ?
Thanks in advance.
Best regards,
Peter
02-05-2014 5:41 PM
Please first check whether user has SAP_ALL as well like Pavan's one...
Then consider that ranges in S_TCODE is very silly and there is no need for it as the limit is about 15k tcodes per role.
Then check your masking. * is an escape value in fields. You should not use it in ranges.
Cheers,
Julius
02-06-2014 8:58 AM
I'm not having the issue with S_TCODE, but I assume the logic for ranges is the same for all authorization fields.
Are you aware of any kind of documentation that describes how to use ranges correct ?
Best regards,
Peter
02-06-2014 9:33 AM
Yes, the behaviour is described in SAP note 136647 (wildcards as placeholders) and 1106948 (generic values in authorization ranges).
If you dont have the same problem as Pranav, then you should open a thread of your own and explain exactly what your problem is - otherwise we have to guess (it was bad enough to guess what Pranav's problem was... :-).
Cheers,
Julius
02-06-2014 3:30 AM
Hi,
its surprising that you are using SAP_ALL and then putting S_TCODE range, as Julius says it's silly because it will overwrite Tcode range and give access to all tcodes.
Now technically this to work - you have to include all authorization objects associated from tcode ranges ( which is going to be hell lot of work ) , its better to create role with tcodes that consultant required and not what he does not want.
Regards,
Satyajit