Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to map a SAP standard table to a customized Authorization group

Former Member

‎06-07-2010 2:49 PM

0 Kudos

Hello,

While providing access to Tcode CUNI we found that it access authorization group 'SS' , as this authorization object access more than 2000 standard SAP table so we are trying to restrict the access. We found that for Tcode CUNI the table which are getting access are T006, we are now trying to map a customized authorization group to these T006 SAP standard table. SO that these particular table get accessed , not all the tables. But we are unable to do this. Please help in mapping the customized authorization group to SAP standard table.

Thanks in advance!!

Best regards,

Akshat

6 REPLIES 6

Former Member

‎06-07-2010 3:33 PM

0 Kudos

Hi Akshat,

To answer your question -

You can create a new Custom Auth group using txn SE54, (full list of existing authorization groups can be seen in the table TBRG)

The assignment of table views to the corresponding authorization group is maintained in table TDDAT. This can be modified in the view V_DDAT_54 with SM30. A transaction also exists for the same - SM30V_DDAT.

Key points -

- Table group 'SS' is one of the most critical authorization groups and is linked to the Security related tables. The rule I follow is never give access to this group for anyone.

- Standard tables are linked to authorization groups as per the SAP standard customization. Any changes to such existing values must be very carefully thought out and all consequences should be measured before any changes.

Good luck.

Regards,

Sanju

Edited by: Sanju Chacko on Jun 7, 2010 2:34 PM

42
Explorer

‎06-07-2010 3:35 PM

0 Kudos

Hi Akshat,

use tables T006, T006A and T006T. After changing the auth groups of these tables don't forget to change the auth ckeck in tx CUNI too (SE93).

Regards,

Dirk

Former Member
In response to 42

‎06-14-2010 8:04 PM

0 Kudos

A followup question. After changing the auth group, does this then become a change in the system that will pop up with every support pack, upgrade...requiring SPDD maintenance? Or will SAP override the auth group I have assigned? Thanks.

Former Member
In response to 42

‎06-14-2010 9:22 PM

0 Kudos

Does changing the auth group to a custom from standard result in later issues with SPDD? Does it show up as a change to SAP following an upgrade, or does SAP overwrite the value I assigned with SM54? Thanks.

mvoros
Active Contributor
In response to 42

‎06-15-2010 6:46 AM

0 Kudos

Hi,

the assignment of authorization group to table is stored in TDDAT. This table has delivery class G - Customizing table, protected against SAP Upd., only INS all. So if you mantain customer namespace then SAP won't update or delete your records. It will only insert new records. I am not sure but I guess that it won't be displayed in SPDD.

Cheers

42
Explorer
In response to 42

‎06-15-2010 6:51 AM

0 Kudos

Unfortunately, changing the auth group of a standard table is not a DD modification, so you don't get a "reminder" via SPDD. The assignment table <-> auth group does happen within table TDDAT. If the modified standard table would be part of a support package the auth group simply could be overwritten in TDDAT - theoretically. In fact I can't remember that that ever happened. So I'm not sure if SAP really overwrites existing auth groups. If yes, you will notice an auth problem after implementing support packages, so you are able to correct the issue afterwards...