07-12-2010 8:36 PM
Hi All,
I have to restrict the tcodes SWDD and SWB_COND to display only.
But I am unable to restrict the tcodes SWDD and SWB_COND to display only. When I try to test with the user it shows create, change, delete options as well. I checked that almost all the auth objects have been restricted to display only but the tcodes are not behaving per restriction.
Please advise.
Regard's
07-12-2010 9:54 PM
Hi Franklin,
I have only these auth objects in the role.
S_DATASET -> 33, A6
S_TABU_DIS -> 03
S_PROGRAM->VARIANT
S_WF_WI -> *
I tried with a test role and tested the tcodes with above auths. but still I am able to change, create, display.
I also tried by trial of deactivating each auth object and tested the tcodes. but no luck.
Is it a program inconsistancy error with these tcodes from SAP ?
07-12-2010 9:25 PM
07-12-2010 9:40 PM
User transaction SU24 and check on the following objects
PLOG
S_ADMI_FCD
S_ALV_LAYO
S_BDS_DS
S_CTS_ADMI
S_DATASET
S_DEVELOP
S_DOKU_AUT
S_GUI
S_OC_DOC
S_OC_ROLE
S_OC_SEND
S_PACKSTRU
S_PRO_AUTH
S_PROGRAM
S_RFC
S_SPO_DEV
S_TABU_CLI
S_TABU_DIS
S_TCODE
S_TRANSLAT
S_TRANSPRT
S_USER_AGR
S_USER_GRP
S_WF_WI
Make sure to check on S_dataset activity ( Read and Read with filter )
if your S_tabu_dis is enabled make sure to have authorization group defined and set table access to 03( Display )
check on S_oc_send also.
Make sure to protect all basis objects and developers objects like S_develop and S_program
Hope this helps.
07-12-2010 9:54 PM
Hi Franklin,
I have only these auth objects in the role.
S_DATASET -> 33, A6
S_TABU_DIS -> 03
S_PROGRAM->VARIANT
S_WF_WI -> *
I tried with a test role and tested the tcodes with above auths. but still I am able to change, create, display.
I also tried by trial of deactivating each auth object and tested the tcodes. but no luck.
Is it a program inconsistancy error with these tcodes from SAP ?
07-12-2010 10:26 PM
Hi Can you paste all the tcodes/roles this test user has ?
also make sure to delete SAP_ALL and SAP_NEW from his profile.
In the meanwhile I will test it out on my Sandbox, and update a response
Hi Try this,
S_TABU_DIS -> 03
S_PROGRAM->VARIANT
S_WF_WI -> *
disable all three objects above and let me know what happens, check the user profile that he has only the test role and nothing else, put trace on and enable each object one at a time based on RC=04 to reach a point where you are able to succeed.
When I created the role, by default SAP has enabled only "s_dataset " object only.
Oki here is what I found after testing:
The buttons you are seeing Create/Change/Display do not have any authority object or authority field connected to them,
your goals can be achieved only through customization/Development activity.
Edited by: Franklin Jayasim on Jul 12, 2010 11:43 PM
07-13-2010 12:16 AM
07-13-2010 12:26 AM
Hi,
check if you don't need to apply note 982789. [Here|http://help.sap.com/saphelp_40b/helpdata/ru/8d/25fa06454311d189430000e829fbbd/content.htm] you can see a list of authorization objects related to workflow. You can also use standard approach of using ST01 to figure out what authorization checks are performed.
Cheers
07-13-2010 8:14 AM
Hi,
These transactions are not for display (Maintian)
SWDD - Workflow Builder
SWB_COND - Maintain Start Conditions
Regards,
Shrinivasan. KV
07-13-2010 9:34 AM
Salman,
I agree with shrinivasan. You can give a display access to task by using the tcode: PFTC_DIS.
Thanks,
Sri
07-13-2010 10:49 AM