08-26-2010 10:58 AM
Dear All,
i want to remove a T-CODE ME22N from one of my user in PRD. i deleted it from my role and i did save and generated the profile. but the user is still able to access that T-CODE ME22N.
I have also checked in roles that he has but i have never seen that t code in these roles.
I have try to resolve these issue using t code SUIM. I have seen that t code ME22N under that user but not in roles.
I want to remove permanently the t code me22n from that user.
Please tell me how can i remove that t code.
Regards
Abhijeet
09-24-2010 10:18 AM
HI ,
You have to maintain all the objects indiviually as * and check again
Siddhesh
08-26-2010 11:01 AM
Hi Abhiraj,
Just check whether the user has access to ME22N via authorization object S_TCODE or through range defined in S_TCODE
(eg: ME* or ME2* etc)
Please check them in the roles assigned to the user
08-27-2010 5:29 AM
Dear Sir,
I agree with you but where to check authorization object S_TCODE and range defined in S_TCODE in user role.
So that i can track this remove from it.
Thanks & regards,
Abhijeet
09-23-2010 4:55 PM
Hi Abhijeet,
You need to check all the roles assigned to that user. Check those roles in PFCG & find for such ranges in authorisation object S_TCODE in those roles
08-26-2010 1:02 PM
Hi Abhijit,
ME21N, ME22N and ME23N will have common authroization objects. only the activity field value will.
So in the roles assigned to this user, check for these authorization objects. And from then take out the change activity i.e., 2.
To know all the relevant authorization objects for ME22N, create a new role and only with this tcode.
Regards,
Siv
08-27-2010 5:33 AM
Hi shiv
How to check authorization object assigned to the user in role?.
I have checked transaction code that is assigned to the user but authorization object are not seen in the role.
Thanks & regards,
Abhiraj
08-27-2010 10:41 AM
Hi,
run su56 for the user and search for object s_tcode. Look in there if there is a connection with your transaction. It is also possible that the transaction is called by an other transaction with no authorization restriction see transaction se97 or table tcdcouples with se16.
have fun
bye
Jan van Roest
08-26-2010 1:49 PM
Hi Abhiraj,
Check in AGR_1251 table for the list of roles which contain ME22n transaction.
Check if the user got some profiles assigned (like SAP_ALL, SAP_NEW) , other than normal profiles which come from roles.
if your issue is reolved, please get back.
Sanketh.
08-27-2010 1:00 AM
If you deleted from your role, how it will take effect on the users access?
Are you deleting in DEV and then transporting the change?
what does the SUIM show for the user in Production?
may be you have manually added transaction for that user
09-14-2010 7:39 AM
1.se16
2.agr_1251
3.Search the roles with S_tcode that contains me21
4.check user assignment for that role
5.Alternatively check if any profiles
09-14-2010 9:10 AM
> 3.Search the roles with S_tcode that contains me21
This is an incomplete and therefor incorrect answer. Searching this table for the exact tcode will not reveal ranges and wildcards.
09-18-2010 10:54 PM
Hi
I used to use the SE16(N) AGR_* tables a lot.
Stop using them and start using SUIM instead - it's faster and reliable just make sure you go to the objects and select S_TCODE and put your entry in there and not in the main searches. Also check that PFUD is running regularly to ensure profile to user matches properly and, as mentioned already, watch out for direct profile assignments.
09-23-2010 5:44 PM
Hi
I've created a single role with ME23N, given it full authorisation in all objects and assigned to a test user, it won't run ME22N if typed into the transaction field directly.
I also tried ME23N, select other document and then go to change mode; same answer - you are not authorised to use ME22N.
The last time I looked at this (over 3 years ago we raised a ticket with SAP - 4.7) at the time I think there was a bug which was eventually fixed that ensured ME23N and create/change couldn't be used together to bypass the authori check.
Does SAP note 751129 help at all?
Before going down that route though have you checked, as already mentioned, for direct profile assignments, reference user assignment, PFUD running regularly, all of the SUIM reports that meet your needs (including object S_TCODE in them?
Have you sat with the user and watched how they access the transaction?
sorry for all of the questions
Kind regards
David
09-24-2010 10:18 AM
HI ,
You have to maintain all the objects indiviually as * and check again
Siddhesh
09-24-2010 11:06 AM
Hi Siddhesh
They already are:
Maint.: 0 Unmaint. org. levels 0 open fields, Status: Unchanged
ZTEST_ME22N delete
Standard Cross-application Authorization Objects AAAB
Standard Transaction Code Check at Transaction Start S_TCODE
Standard Transaction Code Check at Transaction Start T-PD51018800
Transaction Code ME23N TCD
Changed Materials Management: Purchasing MM_E
Changed Document Type in Purchase Order M_BEST_BSA
Changed Document Type in Purchase Order T-PD51018800
Activity * ACTVT
Purchasing Document Type * BSART
Changed Purchasing Group in Purchase Order M_BEST_EKG
Changed Purchasing Group in Purchase Order T-PD51018800
Activity * ACTVT
Purchasing Group * EKGRP
Changed Purchasing Organization in Purchase Order M_BEST_EKO
Changed Purchasing Organization in Purchase Order T-PD51018800
Activity * ACTVT
Purchasing Organization * EKORG
Changed Plant in Purchase Order M_BEST_WRK
Changed Plant in Purchase Order T-PD51018800
Activity * ACTVT
Plant * WERKS
edited - don't woerry about the T-P bit - it's a standalone playpen and not part of a productive environment - edited
Edited by: David Berry on Sep 24, 2010 11:07 AM