giving user access to display SAP table without using standard SE16
Hi - We have serious security concern in this client and they want to find an alternate way to allow users diaplay access to tables relating to financials - specially BSEG , BKPF , COEP , etc.
Is there a way.
We are cnonsidering developing a new object like S_TABU_DIS and use the list of tables maintained in another table.
Is there a easier way to do this?
Thanks for your help
> I want to thank each of you who gave meaningful input.
There is a better way of saying thanks... Please check the line in your email starting like "REMINDER:.... "
> The key point is we want to be able to restrict acees to data - the users I am looking help for need to be able to view only Finacial data - across the system ( they are the worldwide owner for finance data ) - but they should not be able to view logistics information.
This is for why the Table level security (Objects S_TABU_DIS, S_TABU_NAM, S_TABU_LIN, S_TABU_CLI) has been introduced. Any transaction needs any of these Objects will need proper value for the Table Authorization group in which the Tables are aligned. But for some groups you may get some other (or better say Extra) tables assigned to it and thus with the access to those groups, users will get access to those extra tables as well.
> Harimander / Supreet
> creating Z transaction for each table would be a lor of work.
> Raghu - you menationed about the S_TABU_LIN which will restrict by org unit. This is good - but not able to control all Fi.
> I could not see S_TABU_NAM - will this help in my goal. How to get it in the system - we are no ECC 6.0.
> At this time we were contemplating using list of tables to control the access. The only problem is this will need maintenance.
> I belive we can create the object to include the table.
Before I go for the suggestion you may need / want to get a details of the meaning of the Authorization Objects controlling the Table level security in the [SAP Note 1434284 - FAQ Authorization concept for generic table access|https://websmp230.sap-ag.de/sap%28bD1lbiZjPTAwMQ==%29/bc/bsp/spn/sapnotes/index2.htm?numm=1434284].
Also check the mentioned Notes within this note.
> Any suggestion to minimise the work? or with this background any more input.
Perhaps the idea beside which you are wandering is not Custom TCode or Custom Authorization Objects. It should be Custom Table Authorization Group. This is the case where SE54 is going to help you to create some authorization groups and then assign the tables in those respective groups and then assign these Groups to the respective group of users in the Authorization Objects checked. But make sure to remove the standard value proposals (here your objects will turn into "Changed" status which used to create issue during later time).
A better way to create those custom Table Authorization Groups are to align them with User Groups (like FI_TAB for FI users, PM_TAB for Plant Maintenance users etc.)
> I could use SQVI - query viewer - does it have any control on tables?
No. It is a different idea to use SQVI.