Solved: T code removal

Former Member · ‎08-26-2010

Dear All,

i want to remove a T-CODE ME22N from one of my user in PRD. i deleted it from my role and i did save and generated the profile. but the user is still able to access that T-CODE ME22N.

I have also checked in roles that he has but i have never seen that t code in these roles.

I have try to resolve these issue using t code SUIM. I have seen that t code ME22N under that user but not in roles.

I want to remove permanently the t code me22n from that user.

Please tell me how can i remove that t code.

Regards

Abhijeet

Former Member · ‎09-24-2010

HI ,

You have to maintain all the objects indiviually as * and check again

Siddhesh

Former Member · ‎08-26-2010

Hi Abhiraj,

Just check whether the user has access to ME22N via authorization object S_TCODE or through range defined in S_TCODE

(eg: ME* or ME2* etc)

Please check them in the roles assigned to the user

Former Member · ‎08-27-2010

Dear Sir,

I agree with you but where to check authorization object S_TCODE and range defined in S_TCODE in user role.

So that i can track this remove from it.

Thanks & regards,

Abhijeet

Former Member · ‎09-23-2010

Hi Abhijeet,

You need to check all the roles assigned to that user. Check those roles in PFCG & find for such ranges in authorisation object S_TCODE in those roles

Former Member · ‎08-26-2010

Hi Abhijit,

ME21N, ME22N and ME23N will have common authroization objects. only the activity field value will.

So in the roles assigned to this user, check for these authorization objects. And from then take out the change activity i.e., 2.

To know all the relevant authorization objects for ME22N, create a new role and only with this tcode.

Regards,

Siv

Former Member · ‎08-27-2010

Hi shiv

How to check authorization object assigned to the user in role?.

I have checked transaction code that is assigned to the user but authorization object are not seen in the role.

Thanks & regards,

Abhiraj

Former Member · ‎08-27-2010

Hi,

run su56 for the user and search for object s_tcode. Look in there if there is a connection with your transaction. It is also possible that the transaction is called by an other transaction with no authorization restriction see transaction se97 or table tcdcouples with se16.

have fun

bye

Jan van Roest

Former Member · ‎08-26-2010

Hi Abhiraj,

Check in AGR_1251 table for the list of roles which contain ME22n transaction.

Check if the user got some profiles assigned (like SAP_ALL, SAP_NEW) , other than normal profiles which come from roles.

if your issue is reolved, please get back.

Sanketh.

Former Member · ‎08-27-2010

If you deleted from your role, how it will take effect on the users access?

Are you deleting in DEV and then transporting the change?

what does the SUIM show for the user in Production?

may be you have manually added transaction for that user

Former Member · ‎09-14-2010

1.se16

2.agr_1251

3.Search the roles with S_tcode that contains me21

4.check user assignment for that role

5.Alternatively check if any profiles

jurjen_heeck · ‎09-14-2010

> 3.Search the roles with S_tcode that contains me21

This is an incomplete and therefor incorrect answer. Searching this table for the exact tcode will not reveal ranges and wildcards.

Former Member · ‎09-18-2010

Hi

I used to use the SE16(N) AGR_* tables a lot.

Stop using them and start using SUIM instead - it's faster and reliable just make sure you go to the objects and select S_TCODE and put your entry in there and not in the main searches. Also check that PFUD is running regularly to ensure profile to user matches properly and, as mentioned already, watch out for direct profile assignments.

Former Member · ‎09-23-2010

Hi

I've created a single role with ME23N, given it full authorisation in all objects and assigned to a test user, it won't run ME22N if typed into the transaction field directly.

I also tried ME23N, select other document and then go to change mode; same answer - you are not authorised to use ME22N.

The last time I looked at this (over 3 years ago we raised a ticket with SAP - 4.7) at the time I think there was a bug which was eventually fixed that ensured ME23N and create/change couldn't be used together to bypass the authori check.

Does SAP note 751129 help at all?

Before going down that route though have you checked, as already mentioned, for direct profile assignments, reference user assignment, PFUD running regularly, all of the SUIM reports that meet your needs (including object S_TCODE in them?

Have you sat with the user and watched how they access the transaction?

sorry for all of the questions

Kind regards

David

Former Member · ‎09-24-2010

HI ,

You have to maintain all the objects indiviually as * and check again

Siddhesh

Former Member · ‎09-24-2010

Hi Siddhesh

They already are:

Maint.: 0 Unmaint. org. levels 0 open fields, Status: Unchanged

ZTEST_ME22N delete

Standard Cross-application Authorization Objects AAAB

Standard Transaction Code Check at Transaction Start S_TCODE

Standard Transaction Code Check at Transaction Start T-PD51018800

Transaction Code ME23N TCD

Changed Materials Management: Purchasing MM_E

Changed Document Type in Purchase Order M_BEST_BSA

Changed Document Type in Purchase Order T-PD51018800

Activity * ACTVT

Purchasing Document Type * BSART

Changed Purchasing Group in Purchase Order M_BEST_EKG

Changed Purchasing Group in Purchase Order T-PD51018800

Activity * ACTVT

Purchasing Group * EKGRP

Changed Purchasing Organization in Purchase Order M_BEST_EKO

Changed Purchasing Organization in Purchase Order T-PD51018800

Activity * ACTVT

Purchasing Organization * EKORG

Changed Plant in Purchase Order M_BEST_WRK

Changed Plant in Purchase Order T-PD51018800

Activity * ACTVT

Plant * WERKS

edited - don't woerry about the T-P bit - it's a standalone playpen and not part of a productive environment - edited

Edited by: David Berry on Sep 24, 2010 11:07 AM