03-12-2010 12:18 PM
Hi,
I had similar situation as in the below link:
I have a requirement to assign only SAP Utilities->Intercompany Data Exchange to the user
I did as per Julia, but in my case, the user is able to access other nodes in SAP Utilities also, but not other than SAP Utilities(eg:Enterprise Structure, Real Estate etc)
I added only SAP Utilities->Intercompany Data Exchange in the new Project via SPRO_ADMIN & created role by adding that new Project, but still the user is able to access other nodes present in SAP Utilities (eg: Device Mgmt, Contract Billing etc)
Can anyone tell me, why this is happening?
Regards,
Sid
03-14-2010 9:52 AM
03-15-2010 9:18 AM
Thanks. But then how would the user be able to access IMG?
If we remove SPRO from the role, then the user need to know/remember all the T Codes related to the node for which the user needs access. The user wont be able to access IMG. This should not be the case
03-16-2010 7:40 AM
03-16-2010 1:39 PM
Hi Julia,
Yes. He is able to access(execute) other sub-nodes other than the sub-node for which I created the Project & created the role
Seeing other nodes is not a problem, but the user should not be able to access(execute) other nodes
Regards,
Sid
Edited by: Siddhartha Varma on Mar 16, 2010 2:39 PM
03-16-2010 8:51 PM
>
> Thanks. But then how would the user be able to access IMG?
> If we remove SPRO from the role, then the user need to know/remember all the T Codes related to the node for which the user needs access. The user wont be able to access IMG. This should not be the case
please check the below link to get more information on SPRO. It is not required to give access to SPRO to give access to some part of the IMG. You need to enhance / customize the IMG while defining the project. Let me know for any confusion.
Regards, Dipanjan
03-16-2010 8:06 AM
Hi Sid,
tx SPRO is definitely necessary - that's not the problem. It is possible to restrict access to project IMGs by using authorization object S_PROJECT. It is NOT possible to restrict access to the refernce IMG as long as the user has the SPRO. That means that every user mith SPRO can SEE other nodes. Which nodes he can execute depends on the individual authorization checks of each node and the individual authorizations within your role. In my opinion the only solution for your problem is, if possible, to more restrict the autorization parameters within the role.
Regards,
Dirk
03-16-2010 1:46 PM
Hi Dirk,
Seeing the other nodes is not a problem, but the user should not be able to execute them.
When you try to add the only selected path in the Project, it should only allow to execute that path only (I mean nodes in the path), but its allowing to execute other sub-nodes also
But what I do not understand is that why the system allows to execute other sub-nodes- logically, it shoudn't!!
Regards
Sid
03-16-2010 10:04 PM