Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

OMJX authorization in production

Former Member

‎11-11-2010 2:34 PM

0 Kudos

Hi Guys,

Some user asked me to provide display access of tcode OMJX. We have given them access to all the tcodes with OM*, however he could not display OMJX.Su53 screen shot shows it requires authorization of object S_FIELDSEL and activity 03.

Can anyone tell me if I can suggest user to check some other tcode ?

Do you know what S_FIELDSEL object do?Plz dont refer me any documentation for this object.Let me know if you have used it practically.

At the end ,can you tell me the way to give him display access in production?

4 REPLIES 4

Former Member

‎11-11-2010 3:02 PM

0 Kudos

Hi,

OMJX tcode is to add custom fields. The authorization object S_FIELDSEL is required for the same. May be the SU53 is initially looking for activity 03, but later you may need to have the other activities, i.e., 01 and 02 also.

Please enable ST01 trace in the Development system to identify the exact activities that are required for this field. However, make sure you are restricting this access to limited roles/users.

Hope this helps!!

Regards,

Raghu

Former Member
In response to Former Member

‎11-16-2010 2:27 PM

0 Kudos

Hi,

Thanks for quick response.

I checked the object required is S_FIELDSEL RC=12 ACTVT=03;P_GROUP= ;

However,my concern is,why SAP is not leting user in to the tcode OMJX if he has access to OM* in S_tcode.

Is that tcode directly hitting the object S_FIELDSEL at very first step?

What should be the precautions taken to give this objects?Does anyone know its impact?

Former Member
In response to Former Member

‎11-16-2010 2:32 PM

0 Kudos

Hi,

There are lot of tcodes where the required authorization objects are not tagged. Giving OM* might not get the access. You may check the table TDDAT to know the basic minimum required auth object/fields/values/activities before you add any tcode.

Further, you need to enable trace to identify any missing authorizations. Regarding S_FIELDSEL with OMJX, limit the authorization to few users.

Hope this helps!!

Regards,

Raghu

Former Member

‎11-11-2010 3:36 PM

0 Kudos

Hi,

There is always a thumb rule as security is concern that you should maintain the way it setup the security matrix is the only way to such kind of issues if you have setup this earlier properly then this situation a panic one to decide where or what to give authorization in which role ? First you make sure that changes of object will not be included in Display Only role if you are aware about the business impact/function for this you can build up one separate role which only include display authorization for the all respective object included in that tcode.

Just make this as standard practice and after some time you w'll able to decide with the help of bunch of excel sheet containing all the roles (display / change / critical ) based on job function for the user and where to put change / display or any other critical auth_object.

Regards;