Solved: Adding security object to a transaction code

former_member73068 · ‎01-25-2010

Greetings,

I received a request from our Financial side of the house to restrict access to a particular fund type in the transaction codes FM5S and FM5I. When I examine the objects required for those transaction codes, I don't see anything that is tied to the fund type.

My questions:

1. Can I add an arbitrary object that is checked when a transaction code is executed?

2. How do I determine which object is appropriate? For example, searching for a "*type" in SUIM, Authorization Objects by Field, Text, seems pretty chancy.

Bill Bormann

Purdue University

jurjen_heeck · ‎01-25-2010

> 1. Can I add an arbitrary object that is checked when a transaction code is executed?

Not without adapting the actual code.

> 2. How do I determine which object is appropriate? For example, searching for a "*type" in SUIM, Authorization Objects by Field, Text, seems pretty chancy.

Have a look at objects used in transactions which already behave in the expected manner.

jurjen_heeck · ‎01-25-2010

> 1. Can I add an arbitrary object that is checked when a transaction code is executed?

Not without adapting the actual code.

> 2. How do I determine which object is appropriate? For example, searching for a "*type" in SUIM, Authorization Objects by Field, Text, seems pretty chancy.

Have a look at objects used in transactions which already behave in the expected manner.

Former Member · ‎01-25-2010

Hi Bill,

 
 1. Can I add an arbitrary object that is checked when a transaction code is executed?

- Yes you can. In that case you need to sit with the developer and create a customized Tcode as per your requirement. If you do not want any code change then you can take help of user exits/Bapis to enforce some additional checks.

 
 2. How do I determine which object is appropriate? For example, searching for a "*type" in SUIM, Authorization Objects by Field, Text, seems pretty chancy.

Please elaborate more on this I am not able to understand this one.

Former Member · ‎01-25-2010

Hi William,

Inside SUIM it's hard to get the object information. For object detail you need to go inside transaction SU21. This contain the Object under object classes.

The object for Fund management is : F_FICA_FOG : Fund management authorization group for fund. And you can check the same in SU24. This will provide you the objects checked for transaction.

Cheers: )

Former Member · ‎01-25-2010

> Inside SUIM it's hard to get the object information. For object detail you need to go inside transaction SU21. This contain the Object under object classes.

Within SUIM you can search for authorization objects by field name or text even (or directly via transaction S_BCE_68001413). This would imply that you know which data or it's description you want to control.

In the output, you can double-click the object name -> SU21 on steriods

Cheers,

Julius

Former Member · ‎01-25-2010

Ignore the object i mentioned in above post.....I have posted this accidently... this is for management not for TYPE...

former_member73068 · ‎01-25-2010

Ok, I think I just had a "DOH!" moment. Hopefully this understanding of the basic situation is correct:

It's fairly straightforward to add an object that is required when a transaction code is added to a role, but, you still have to make some kind of modification (cosmetic or more) to the underlying code to check that object.

For these transactions (FM5I and FM5S), SAP supports a check for fund authorization groups and the object specifying the groups is automatically added when these transactions are placed in a role. Alas, we're not using fund authorization groups here, so if the business wants to restrict by type we're going to have to either find a SAP-supplied object that includes the fund type and modify the code (here, two transactions) or assign the fund types to fund authorization groups.

Bill

Former Member · ‎01-25-2010

> It's fairly straightforward to add an object that is required when a transaction code is added to a role, but, you still have to make some kind of modification (cosmetic or more) to the underlying code to check that object.

Unless it is already checked in the code at the correct location you want to use it for control.

> For these transactions (FM5I and FM5S), SAP supports a check for fund authorization groups...

SAP "owns" the authority-checks in SAP standard code. In some cases you can influence them or how the system reacts to them - but not all.

> ... and the object specifying the groups is automatically added when these transactions are placed in a role.

Only if instructed to do so via SU24.

> Alas, we're not using fund authorization groups here, so if the business wants to restrict by type we're going to have to either find a SAP-supplied object that includes the fund type and modify the code...

No. Only if there is no equivalent check and no enhancement / customer exit point available

>... (here, two transactions)

Most likely it will anyway just be one and the same function module so is checked or can be changed centrally.

> or assign the fund types to fund authorization groups.

This is usually the easiest and least intrusive way. Take note that group type fields (typically called BEGRU) are mostly optional objects.

The system only reaches the check at all if there is a value maintained. If not, the check is suppressed and you might not even see the trace of it in ST01 or SU53.

I recommend contacting your functional support of the Funds Management "module" and go through the options with them. They should know what can be done and which is most sustainable.

Cheers,

Julius