- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- XK03 can be restricted by account group in order t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
XK03 can be restricted by account group in order to prevent general users
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-30-2010 10:53 AM
Hello Gurus,
Please advise, if XK03 can be restricted by account group in order to prevent general user population from displaying employee data ?
I understand that XK03 has auth object F_LFA1_GRP for account group in which I restricted with 03 and particular account groups but still the test is failing because the test user is able to view employee data.
Please suggest..
Regard's
Salman
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-30-2010 11:21 AM
Hi,
F_LFA1_GRP is the correct method. You need to assign an auth group to the employee vendors and then ensure that your users do not have authorisation to that particular auth group in any of the auths assigned to the user.
When you run a trace accessing an employee vendor, you should see a check performed on F_LFA1_GRP. If you don't then check that the auth group is assigned to that vendor and that the check for XK03 has not been deactivated via SU24.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-30-2010 11:21 AM
Hi,
F_LFA1_GRP is the correct method. You need to assign an auth group to the employee vendors and then ensure that your users do not have authorisation to that particular auth group in any of the auths assigned to the user.
When you run a trace accessing an employee vendor, you should see a check performed on F_LFA1_GRP. If you don't then check that the auth group is assigned to that vendor and that the check for XK03 has not been deactivated via SU24.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-30-2010 11:43 AM
Hi Alex,
Thank you !
By your last update, do you mean auth group or account group? If you are talking about auth group then this auth object F_LFA1_BEK (XK03) has auth group.
I checked the F_LFA1_GRP is active in SU24. Is there something which i need to look in F_LFA1_BEK for particular auth group after restricting the auth object F_LFA1_GRP with account group ?
Thank you for your valuable suggestions
Regard's
Salman
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-30-2010 1:01 PM
Sorry Salman, you are correct. I didn't post the correct response previously as I was doing 2 different things. Apologies.
You do need F_LFA1_BEK + F_LFA1_GRP for this restriction to work properly. The auth group is the most important one & that is the one that will only appear in the trace if it has been maintained against the vendor.
- SAP Managed Tags:
- Security
