Solved: Help restricting parameter changes to user master ...

Former Member · ‎06-18-2010

Dear Gurus,

I am looking for a possible method to allow users to change certain parameters in their user master record. I am aware of the t-code SU3, in which the user is allowed to maintain his/her own data. However, this t-code allows access to not only the Parameters tab, but also to Address and Defaults as well. Furthermore (as mentioned above), I am looking to only allow users to change certain parameters.

If this functionality is not delivered in SAP, is there any possibility in programming some sort of modification/add-on?

Thanks!

Former Member · ‎06-18-2010

Hi

Since these are the technical details for the Paramid

USPARAM

Struct.

PARID

MEMORYID

This is a table structure and the field name PARID is not a security enabled field name

the best option will be to create and customize "ZUSPARAM" program

You will need developers help to achieve this.

Edited by: Franklin Jayasim on Jun 18, 2010 9:53 PM

Former Member · ‎06-18-2010

Hi

Since these are the technical details for the Paramid

USPARAM

Struct.

PARID

MEMORYID

This is a table structure and the field name PARID is not a security enabled field name

the best option will be to create and customize "ZUSPARAM" program

You will need developers help to achieve this.

Edited by: Franklin Jayasim on Jun 18, 2010 9:53 PM

Former Member · ‎06-18-2010

Franklin, I am not sure I fully understand the response. What is meant by the "Pyramid"? Is it that you are are listing a table with some fields? Also, I agree that developer support may be required to program a custom program/report for this. The program you listed (ZUSPARAM) is probably custom to your system - did your developer use any program for reference when creating ZUSPARAM?

Former Member · ‎06-22-2010

Hi Benjamin Seto,

Sorry I just saw your message , what I wanted to explain was that the PARAMID ( the place where the user will be allowed to make his entry) does not have an authority check the best way was to create a custom program to achieve your need.

Yes the Z program is specific to the system and business requirement.

Custom program will be the solution was my recommendation.

Former Member · ‎06-18-2010

Ben,

You can also use SU50 (default) and SU51 (address).

SU0 and SU1 instead of SU3 so they can still maintain defaults and address data.

or

You can try with User exit

Note: we dont give access to users to change there parameters. Any changes to parameter will go thru security team.

Thanks,

Sri

Former Member · ‎06-18-2010

sri, thanks for your response. The t-codes you listed (SU50, SU51, SU0, and SU1) are great but they do the opposite of what I am looking for. I am looking to allow users to change only certain line items in the Parameters tab (those t-codes listed exclude the Parameters tab). I do agree a User Exit may be needed. Would you have any pointers as to where I can begin looking into what is required for such a User Exit? As I am not a developer, my knowledge in that area is quit lacking.

martin_voros · ‎06-19-2010

Hi,

I doubt that you will find a suitable user exit. There are not that many user exits for user management. One way how you can try to avoid this limitation is to use enhancement framework. You need somebody with decent ABAP skills. I would prefer to go with custom transaction which will perform additional checks. API for user management is very well [documented|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/668e6629-0701-0010-7ca0-994cb7dec5a3].

Cheers

Former Member · ‎06-19-2010

Hi Ben,

I agree with martin,we might not find suitable user exit. Best option is go with customer authorization object.

or

In Su3 the address tab / default tab global fields should be grey out(i.e changes should only happen from SU01),but the user should able to change the parameter. thru su3 (you talk with the ABPER whether this type of configuration is possible or not).

or

Remove the SU3 from all the users, any changes to parameter need to go thru security team.

Thanks,

Sri

Former Member · ‎06-20-2010

You are or have been using PIDs for the wrong purpose.

You can give the user the option to SET a parameter in the respective transactions which GET it or as a workaround create your own utility to maintain a subset of them only, but you should try to get away from this concept.

If you want to use UI visibility as a security layer, then use "Personalization keys" which an admin can assign to users or to groups of them via roles.

Cheers,

Julius

Former Member · ‎06-21-2010

@Martin Voros: Thanks very much for the link to the user management API reference. I guess getting an ABAPer to create a custom transaction is probably one of the approaches I can use.

@Julius Bussche: So if I understand correctly, do you mean that providing users with the ability to set certain parameters within certain transaction codes is a better alternative than allowing them to directly edit these within their user master record?

Former Member · ‎06-21-2010

What I meant is that it is an existing alternative, even if you prevent them from setting the parameters directly via SU3 or a user BAPI.

PIDs are user preferences - they can change their minds so should not be used for real security which is to be enforced by the system.

Cheers,

Julius

Former Member · ‎06-21-2010

Thanks Julius, I am clear on what you mentioned now.

Help restricting parameter changes to user master record