cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Basis authorization object class

Go to solution
Former Member

on ‎02-08-2010 11:41 AM

0 Kudos

Hi All,

Few roles contain ABAP & BASIS objects but 1 user should NOT get access to these. How can I restrict ABAP & BASIS objects only for 1 user id without disturbing access for other users.

I tried creating Z roles for this user id and deactivating BASIS objects but still some other roles containing ABAP objects are accessible which I dont want to give.

Is there any shorter way out?

thx

Bhushan

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member190272
Active Contributor
‎02-08-2010 12:00 PM
0 Kudos

Hi,

Create Z role and define the authorization objects is the best way.

Regards,

Pankaj

Show replies
Show replies
Former Member
‎02-09-2010 12:32 PM
0 Kudos

> 

> Hi,
> 
> Create Z role and define the authorization objects is the best way.
> 
> 
> Regards,
> Pankaj

sorry Pankaj, but I dont think thats the best suggestion without knowing what the Operator intends to do with a USER who should have access but not to BASIS and ABAP objects (quiet wierd, i presume)

Anyway,

Bhushan - can you explain what is that you want to achieve, what kind of authorizations are currenlty assigned to the user. you need not list all the avialble transactions for the user but a general overview of what the user has and what prompts you to remove the BASIS objects would be interesting to many of us

Former Member
‎02-10-2010 6:21 AM
0 Kudos

Dear Shekhar,

This is what I have tried so far:

a. The user has MM,SD,FICO,PM,QM tcodes attached to about 24 roles but these roles also contain ABAP & Basis objects e.g.g S_DEVELOP, Basis Admin, etc. which I dont want to give. These 24 roles are also shared between 10-15 userids hence I cannot edit / deactivate ABAP/BASiS objects in these.

b. The problem was which roles to edit..so I created copy of all 24 roles and created Z roles in which ABAP / BASIS objects are deactivated.

c. Now the issue is inspite of this, user is getting access to SU01, SM30 tcodes which I dont want.

d. Checked in SUIM which roles contain SU01 & SM30, but no such roles are assigned.

Can you pls guide how to prevent these tcodes which are not visible in any of the roles. Can we restrict by object and how.

Thx a lot

Bhushan

Former Member
‎02-10-2010 10:24 AM
0 Kudos

Hi Bhushan,

As i am not next to you, i cannot say on how the user gets to SU01. But if i were you, i would do the following

1. Go to table AGR_1251 and list all the roles used and check on the object S_TCODE

2. check for any presence of ranges

3. If the table result shows SU01, then you i am sure you know what to do - if the table shows SU01 in the output but you see that it is not in any of the role menus, then spend some time to understand about calling transactions and called transactions (Ex: PFUD internally calls for SU01). you can search the forum for more details

If you dont find desired results from the above try controlling / restricting the authorizations for SU01 for the related objects like: S_USER_AGR, S_USER_GRP, S_USER_SAS............

But I would never remove ALL basis objects (or) ABAP objects from my authorizations based on the object groupings in SAP.

S_DEVELOP is a ABAP object grouped in the BC class, but i wouldnt remove it entirely because my user is a functional consultant, there are ways of controlling the access of the object. As an example, sending customers from R/3 to an external systems using the BD* transaction would need authorizations on S_DEVELOP. Doing this is a functional job and S_DEVELOP is a ABAP object

so try controlling the access on the objects rather than removing the objects from the authorizations.

Answers (3)

Answers (3)

Former Member
‎02-18-2010 12:22 PM
0 Kudos

Hi Shekar,

Thx for indicating the object "S_TCODE" it was actually granting SU01, SM30 tcodes hence I created Z roles and deactivated this object from it.

Now, I have 24 Z roles but with BASIS & ABAP objects deactivated.

Thx

Bhushan

Show replies
Show replies
jurjen_heeck
Active Contributor
‎02-09-2010 12:40 PM
0 Kudos

> Is there any shorter way out?

The shortest way out in SAP security is always to consider what a user does need and build and assign roles from there. Starting with wide access and trying to take away what someone doesn't need hardly ever leads to satisfying results.

Jurjen

By the way, your own roles don't have to begin with a 'Z'. It neither workbench nor customizing so you're fairly free to choose a letter. It is advisable to stay away from S* and /*.

Show replies
Show replies
Former Member
‎02-08-2010 11:56 AM
0 Kudos

Hi,

Your query is not clear. But as per my understanding you want to restrict ABAP and BASIS object access to a user.

First check, what all roles are assigned to that user. If any roles are assigned to this user in common with other users then remove all those from that user to whom you want to restrict. Then create a separate role only for this user and add all required transaction in that role and restrict whatever you want to restrict and see. Also, check in profiles tab of user if any profiles are added.

Thanks & Regards,

Sharath Babu M

Show replies
Show replies
Ask a Question