Running a Trace ST01 will help you to boil down to the exact Authorization Object.

Thanks..

after doing and checking the trace and also result of su53....

I see the object S_RS_ISOUR with activity 23.. is checked with RC=4 ...also S_BTCH_ADM RC=12 andS_ADMI_FCD RC=12

the current role have only actv 03

the funny thing is that although it does not have ACT 23 the new infoObject is inserted into the structure !!

some reason why? why is not displayed the alert "you are not authorized" ?

Thanks

FedeX

Hi,

Since the RC is 4, this means that the authorization check is failed for that authorization object. Did you get anything from the SU53 Log for it?

Thanks,

Manisha

Hi,

yes in SU53 I get information consistent with what I get in the trace.

the funny thing is that one inser in the structure is performed although the auth checky was not succesful.could it be a bug? or should I check another thing?

Thanks

FedeX

Hi

Seems something is not working as it should have been. Appreciate if you can share the Trace results. Also did you do trace through trxn RSECADMIN.

Thanks.

Anjan

Hi,

I'm not sure if RSECADMIN Trace will give out the log here as no query is being executed . Sharing the ST01 Trace file would help.

Regards,

Manisha Nadir

Hi,

here the relevant trace results :

09:44:02:494 AUTH - - - S_BTCH_ADM RC=12 BTCADMIN=Y;

09:44:02:495 AUTH - - - S_ADMI_FCD RC=12 S_ADMI_FCD=ST0R;

09:44:20:530 AUTH - - - S_RS_ISOUR RC=0 RSAPPLNM=YW001S;RSISOURCE=TYW001SPA_CAP;RSISRCOBJ=DEFINITION;ACTVT=03;

09:44:21:147 AUTH - - - S_RS_ISOUR RC=0 RSAPPLNM=YW001S;RSISOURCE=TYW001SPA_CAP;RSISRCOBJ=DEFINITION;ACTVT=03;

09:44:21:265 AUTH - - - S_RS_ISOUR RC=4 RSAPPLNM=YW001S;RSISOURCE=TYW001SPA_CAP;RSISRCOBJ=DEFINITION;ACTVT=23;

09:44:21:265 AUTH - - - S_RS_ISOUR RC=0 RSAPPLNM=YW001S;RSISOURCE=TYW001SPA_CAP;RSISRCOBJ=DEFINITION;ACTVT=03;

Thanks,

FedeX

Hi

here you go with your answer..

Seems the user has the following authrization

S_RS_ISOUR

RSAPPLNM=YW001S

RSISOURCE=TYW001SPA_CAP

RSISRCOBJ=DEFINITION

ACTVT=03

This would mean that you are restricting the access on subobject "DEFINATION", Probabely you would need to add another manual object with the following entries.

S_RS_ISOUR

RSAPPLNM=YW001S

RSISOURCE=TYW001SPA_CAP

RSISRCOBJ=COMMSTRUC

ACTVT=03

The above object will restrict the access based on communication structure.

Note: Please check object documentation through F1 help for details.

Hope your issue gets resolved with this.

Thanks.

Anjan Pandey

Hi ,

You will need the following restriction as per your requirement .

For the Object S_RS_ISOUR :

Give the Activity Field Value 23 for every Infosource Object ( RSISRCOBJ) except COMMSTRUC and DEFINITION. This should solve the issue . You can have 2 instances of the object S_RS_ISOUR Object in your role. Something like this:

S_RS_ISOUR:

03

*

*

COMMSTRUC,DEFINITION

S_RS_ISOUR:

23

*

*

DATA,INFOPACKAG,METADAT,TRANSFFRULE

Hope it helps.

Regards,

Manisha Nadir

Hi Thanks for the feedback,

That is exactly the "funny" thing... I am not using Activity 23... anyway the user is able to add a record in the communication structure.... user comparison for the role was also done .

I do not know which object or value I should restrict... activity used is only 03

Thanks

FedeX

Hi,

I too have traced it and found that activity 23 is needed on " DEFINITION" to change the communication structure of an infosource . Can you please trace it again now that the role comparison has also been done and see if you get anything new ?

You can just restrict the display of the communication structure altogether by giving activity 03 for every subobject except definition in S_RS_ISOUR

Regards,

Manisha Nadir

Hi,

this is what I have... I use only ACTV 03 and 49

5 Maintained Data Warehousing Workbench - InfoSource (Flexible Update) S_RS_ISOUR

5 Maintained Administrator Workbench - InfoSource (Flexible Update) <role>

Activity 03, 49 ACTVT

Application Component * RSAPPLNM

InfoSource * RSISOURCE

InfoSource Subobject COMMSTRUC, DATA, DEFINITION, INFOPACKAG, METADATA, TRNSFRRULE RSISRCOBJ

The trace says the user is not allow when he is trying to add a new inforobject... but for my surprise the field is inserted...save buttons are now available...and trying to go back ask for transport request to attach the change at this stage I abort the test because I asume the change is going to be saved.

Regards

FedeX

Hi,

I have checked and without activity 23 , user is not able to change the communication structure in my system. I think you should check to find out SAP Notes on it because I think its getting some hidden authorization with activity 03 itself .

If not, you may want to restrict the whole display of communication structure itself by giving 03 for everything except for DEFINITION. This way user won't be able to change or diaplay the communication structure.

Lemme know how you resolve it finally.

Regards,

Manisha