05-13-2010 11:45 AM
Hi There,
I would like to restricte some users in order they are not able to add new infoobjects in the communication structure.
which InfoObject(s) & Values I have to use to restrict this?
Thanks in advance,
FedeX
05-20-2010 4:43 PM
Hi,
this is what I have... I use only ACTV 03 and 49
5 Maintained Data Warehousing Workbench - InfoSource (Flexible Update) S_RS_ISOUR
5 Maintained Administrator Workbench - InfoSource (Flexible Update) <role>
Activity 03, 49 ACTVT
Application Component * RSAPPLNM
InfoSource * RSISOURCE
InfoSource Subobject COMMSTRUC, DATA, DEFINITION, INFOPACKAG, METADATA, TRNSFRRULE RSISRCOBJ
The trace says the user is not allow when he is trying to add a new inforobject... but for my surprise the field is inserted...save buttons are now available...and trying to go back ask for transport request to attach the change at this stage I abort the test because I asume the change is going to be saved.
Regards
FedeX
05-13-2010 12:26 PM
Hi Fedex
You would probabely need to run a trace through transaction ST01 and RSECADMIN to figure out the exact object which will restrict the access for adding new infoobjects in the communication structure.
Probabely object S_RS_ISOUR should restrict the access.
Thanks.
Anjan
Edited by: anjanpandey on May 13, 2010 1:32 PM
05-13-2010 1:41 PM
Running a Trace ST01 will help you to boil down to the exact Authorization Object.
05-13-2010 3:13 PM
Thanks..
after doing and checking the trace and also result of su53....
I see the object S_RS_ISOUR with activity 23.. is checked with RC=4 ...also S_BTCH_ADM RC=12 andS_ADMI_FCD RC=12
the current role have only actv 03
the funny thing is that although it does not have ACT 23 the new infoObject is inserted into the structure !!
some reason why? why is not displayed the alert "you are not authorized" ?
Thanks
FedeX
05-13-2010 3:20 PM
Hi,
Since the RC is 4, this means that the authorization check is failed for that authorization object. Did you get anything from the SU53 Log for it?
Thanks,
Manisha
05-13-2010 4:17 PM
Hi,
yes in SU53 I get information consistent with what I get in the trace.
the funny thing is that one inser in the structure is performed although the auth checky was not succesful.could it be a bug? or should I check another thing?
Thanks
FedeX
05-14-2010 7:54 AM
Hi
Seems something is not working as it should have been. Appreciate if you can share the Trace results. Also did you do trace through trxn RSECADMIN.
Thanks.
Anjan
05-14-2010 8:28 AM
Hi,
I'm not sure if RSECADMIN Trace will give out the log here as no query is being executed . Sharing the ST01 Trace file would help.
Regards,
Manisha Nadir
05-14-2010 8:48 AM
Hi,
here the relevant trace results :
09:44:02:494 AUTH - - - S_BTCH_ADM RC=12 BTCADMIN=Y;
09:44:02:495 AUTH - - - S_ADMI_FCD RC=12 S_ADMI_FCD=ST0R;
09:44:20:530 AUTH - - - S_RS_ISOUR RC=0 RSAPPLNM=YW001S;RSISOURCE=TYW001SPA_CAP;RSISRCOBJ=DEFINITION;ACTVT=03;
09:44:21:147 AUTH - - - S_RS_ISOUR RC=0 RSAPPLNM=YW001S;RSISOURCE=TYW001SPA_CAP;RSISRCOBJ=DEFINITION;ACTVT=03;
09:44:21:265 AUTH - - - S_RS_ISOUR RC=4 RSAPPLNM=YW001S;RSISOURCE=TYW001SPA_CAP;RSISRCOBJ=DEFINITION;ACTVT=23;
09:44:21:265 AUTH - - - S_RS_ISOUR RC=0 RSAPPLNM=YW001S;RSISOURCE=TYW001SPA_CAP;RSISRCOBJ=DEFINITION;ACTVT=03;
Thanks,
FedeX
05-14-2010 9:24 AM
Hi
here you go with your answer..
Seems the user has the following authrization
S_RS_ISOUR
RSAPPLNM=YW001S
RSISOURCE=TYW001SPA_CAP
RSISRCOBJ=DEFINITION
ACTVT=03
This would mean that you are restricting the access on subobject "DEFINATION", Probabely you would need to add another manual object with the following entries.
S_RS_ISOUR
RSAPPLNM=YW001S
RSISOURCE=TYW001SPA_CAP
RSISRCOBJ=COMMSTRUC
ACTVT=03
The above object will restrict the access based on communication structure.
Note: Please check object documentation through F1 help for details.
Hope your issue gets resolved with this.
Thanks.
Anjan Pandey
05-14-2010 12:10 PM
Hi ,
You will need the following restriction as per your requirement .
For the Object S_RS_ISOUR :
Give the Activity Field Value 23 for every Infosource Object ( RSISRCOBJ) except COMMSTRUC and DEFINITION. This should solve the issue . You can have 2 instances of the object S_RS_ISOUR Object in your role. Something like this:
S_RS_ISOUR:
03
*
*
COMMSTRUC,DEFINITION
S_RS_ISOUR:
23
*
*
DATA,INFOPACKAG,METADAT,TRANSFFRULE
Hope it helps.
Regards,
Manisha Nadir
05-17-2010 4:21 PM
Hi Thanks for the feedback,
That is exactly the "funny" thing... I am not using Activity 23... anyway the user is able to add a record in the communication structure.... user comparison for the role was also done .
I do not know which object or value I should restrict... activity used is only 03
Thanks
FedeX
05-19-2010 12:46 PM
Hi,
I too have traced it and found that activity 23 is needed on " DEFINITION" to change the communication structure of an infosource . Can you please trace it again now that the role comparison has also been done and see if you get anything new ?
You can just restrict the display of the communication structure altogether by giving activity 03 for every subobject except definition in S_RS_ISOUR
Regards,
Manisha Nadir
05-20-2010 4:43 PM
Hi,
this is what I have... I use only ACTV 03 and 49
5 Maintained Data Warehousing Workbench - InfoSource (Flexible Update) S_RS_ISOUR
5 Maintained Administrator Workbench - InfoSource (Flexible Update) <role>
Activity 03, 49 ACTVT
Application Component * RSAPPLNM
InfoSource * RSISOURCE
InfoSource Subobject COMMSTRUC, DATA, DEFINITION, INFOPACKAG, METADATA, TRNSFRRULE RSISRCOBJ
The trace says the user is not allow when he is trying to add a new inforobject... but for my surprise the field is inserted...save buttons are now available...and trying to go back ask for transport request to attach the change at this stage I abort the test because I asume the change is going to be saved.
Regards
FedeX
05-21-2010 4:39 AM
Hi FedeX
Did you check whether this is the only role which is providing access for object S_RS_ISOUR to the user.
Thanks.
Anjan
05-24-2010 3:49 PM
Hi,
I have checked and without activity 23 , user is not able to change the communication structure in my system. I think you should check to find out SAP Notes on it because I think its getting some hidden authorization with activity 03 itself .
If not, you may want to restrict the whole display of communication structure itself by giving 03 for everything except for DEFINITION. This way user won't be able to change or diaplay the communication structure.
Lemme know how you resolve it finally.
Regards,
Manisha