SPRO Access

Former Member · ‎03-12-2010

Hi,

I had similar situation as in the below link:

I have a requirement to assign only SAP Utilities->Intercompany Data Exchange to the user

I did as per Julia, but in my case, the user is able to access other nodes in SAP Utilities also, but not other than SAP Utilities(eg:Enterprise Structure, Real Estate etc)

I added only SAP Utilities->Intercompany Data Exchange in the new Project via SPRO_ADMIN & created role by adding that new Project, but still the user is able to access other nodes present in SAP Utilities (eg: Device Mgmt, Contract Billing etc)

Can anyone tell me, why this is happening?

Regards,

Sid

sdipanjan · ‎03-14-2010

This is happening because the project is containing access to TCode SPRO along with the node you selected only. Make sure that you are building the project and the role without SPRO while using such option to assign in the role.

Regards,

Dipanjan

Former Member · ‎03-15-2010

Thanks. But then how would the user be able to access IMG?

If we remove SPRO from the role, then the user need to know/remember all the T Codes related to the node for which the user needs access. The user wont be able to access IMG. This should not be the case

Former Member · ‎03-16-2010

I tried this with a project I created in SPRO_ADMIN.

The User can access SPRO, thats right. But can he really execute other functions than the allowed? The user can see them, thats right, but can he execute?

Regards,

Julia

Former Member · ‎03-16-2010

Hi Julia,

Yes. He is able to access(execute) other sub-nodes other than the sub-node for which I created the Project & created the role

Seeing other nodes is not a problem, but the user should not be able to access(execute) other nodes

Regards,

Sid

Edited by: Siddhartha Varma on Mar 16, 2010 2:39 PM

sdipanjan · ‎03-16-2010

>


> Thanks. But then how would the user be able to access IMG?
> If we remove SPRO from the role, then the user need to know/remember all the T Codes related to the node for which the user needs access. The user wont be able to access IMG. This should not be the case

please check the below link to get more information on SPRO. It is not required to give access to SPRO to give access to some part of the IMG. You need to enhance / customize the IMG while defining the project. Let me know for any confusion.

Regards, Dipanjan

42 · ‎03-16-2010

Hi Sid,

tx SPRO is definitely necessary - that's not the problem. It is possible to restrict access to project IMGs by using authorization object S_PROJECT. It is NOT possible to restrict access to the refernce IMG as long as the user has the SPRO. That means that every user mith SPRO can SEE other nodes. Which nodes he can execute depends on the individual authorization checks of each node and the individual authorizations within your role. In my opinion the only solution for your problem is, if possible, to more restrict the autorization parameters within the role.

Regards,

Dirk

Former Member · ‎03-16-2010

Hi Dirk,

Seeing the other nodes is not a problem, but the user should not be able to execute them.

When you try to add the only selected path in the Project, it should only allow to execute that path only (I mean nodes in the path), but its allowing to execute other sub-nodes also

But what I do not understand is that why the system allows to execute other sub-nodes- logically, it shoudn't!!

Regards

Sid

Former Member · ‎03-16-2010

Check whether prior to using the project views you had granted * for S_PROJECT in some other role of older manual profile, because you were not using it back then.

Cheers,

Julius