Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

A particular user is not allowed to have VD01

Go to solution
Former Member

‎12-06-2010 12:53 PM

0 Kudos

Sir,

I have created a role having VD01 and also some other authorizations. The role is assigned to some users. I am asked by my manager to keep a provision that a particular user will not be allowed to access VD01.

Sir I am helpless to solve it. Please tel me how can I do it?

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎12-06-2010 1:01 PM

0 Kudos

If you have a t-code in one role and this role assigned to many users and want to just remove the va01 tcode for a user. You need to copy the existing role to a new and remove the va01 from the new role and assign the new to a user.

13 REPLIES 13

Go to solution
Former Member

‎12-06-2010 1:01 PM

0 Kudos

If you have a t-code in one role and this role assigned to many users and want to just remove the va01 tcode for a user. You need to copy the existing role to a new and remove the va01 from the new role and assign the new to a user.

Go to solution
Former Member
In response to Former Member

‎12-07-2010 5:33 AM

0 Kudos

Sir,

I know these basic PFCG configurations. But my question was if there is any process to disallow that particular user from that particular Tcode only. By copying the role it is possible.

And sir is there any Tcode through which I can view the users who are assigned to a particular tcode and also remove my needed user from that group or lock that user from that tcode only??

Go to solution
Former Member
In response to Former Member

‎12-07-2010 9:10 AM

0 Kudos

Hi Souvik,

I know these basic PFCG configurations. But my question was if there is any process to disallow that particular user from that particular Tcode only. By copying the role it is possible.

You have to create a separate role and remove the tcode. It is not possible to eliminate/restrict a tcode access for one user.

And sir is there any Tcode through which I can view the users who are assigned to a particular tcode and also remove my needed user from that group or lock that user from that tcode only??

Use SUIM -> Transaction code executable by user -> or SUIM -> User by complex selection criteria -> enter tcode to list out the users by transaction.

It is not possible to lock a transaction for 1 particular user or group and the only option is to create a separate role by not including that transaction code.

Hope this clarifies.

Best Regards,

Raghu

Edited by: Raghu Boddu on Dec 7, 2010 2:41 PM

Go to solution
arpan_paik
Active Contributor
In response to Former Member

‎12-07-2010 9:14 AM

0 Kudos

Why don't you wait for next release where this kind of mechanism might get introduced. I also thought many times like that. There should be table with 2 column only. User and Tcode. Simple add and removed. I get bored with this role, profile concept.

Go to solution
Former Member
In response to Former Member

‎12-10-2010 7:04 AM

0 Kudos

Sir,

The 1st option is good......but still from there I can't find any option to delete the Tcode.

And for the option.........SUIM -> User by complex selection criteria -> enter tcode.............I can't handle this one. It will be very helpful if u can guide me to use this option. I can't understand what the variant is telling.

Go to solution
Former Member
In response to Former Member

‎12-10-2010 7:40 AM

0 Kudos

Hi Souvik,

but still from there I can't find any option to delete the Tcode

In case your role is a derived role (linked to a Master role), you won't be able to delete anything from role menu unless the relationship with master role is removed. You can verify that from the table AGR_DEFINE or Description tab in PFCG..look for Transaction Inheritance area.

If its not derived, I assume you know very well how to delete tcodes in PFCG 

And for the option.........SUIM -> User by complex selection criteria -> enter tcode.............I can't handle this one. It will be very helpful if u can guide me to use this option. I can't understand what the variant is telling

Please refer [;

Hope this clarifies!

Sandipan

Go to solution
Former Member
In response to Former Member

‎12-10-2010 7:43 AM

0 Kudos

Arpan,

I think we both went through the same thought process of having User to tcode relationship at a single place That would be too helpful if SAP introduces it someday. I tried SQVI to join tables AGR_USERS and AGR_1251 once to get this relationship, the results were amazing..try it sometime

Cheers!

Sandipan

Go to solution
arpan_paik
Active Contributor
In response to Former Member

‎12-10-2010 9:00 AM

0 Kudos

@ Sandipan - Ohh.. it was really amazing..

@ Sandip Nandi - Well I thought you should try to learn that the idea you are thinking is not possible in SAP as of now and may be it will never be. You just can't remove transaction from a user directly. As they are not assigned to user directly!!!

As they have been assigned via role so in order to remove them you also need to remove it from role/other way remove the user from the role itself.

As per other transaction create a new role and assigned to user

I have also seen the idea for user exit and that is also possible but I do not feel very good to disturb SAP standard. Anyway the object name was cool

Regards,

Arpan

Go to solution
arpan_paik
Active Contributor

‎12-06-2010 1:19 PM

0 Kudos

Seems you need to go through some basic training....

Go to solution
Former Member

‎12-06-2010 5:20 PM

0 Kudos

While I agree that this is a fairly basic question, it is something the business users often do not grasp, explain the following:

We can not deny authorisations in the standard model, authorisations are added to users' buffer, which acts as a large "bucket" of authorisations, programs and transactions then look in the bucket to see if the user is authorised.

Therefore to exclude a specific authorisation from one user, you need to ensure it is not available in the buffer, which results in the role copy procedure already mentioned.

Hopefully if you explain the concept to the managers clearly, they will be able to understand the impacts of these requests.

Hope this helps,

Tom.

Go to solution
sdipanjan
Active Contributor

‎12-06-2010 6:29 PM

0 Kudos 
 > Sir I am helpless to solve it. Please tel me how can I do it?

Sir,

If you are sure that you didn't add any other TCode in the role except VD01 and its authorization (means no Manual object) then can you please try by removing that role from that user?

Regards,

Dipanjan

Go to solution
Former Member

‎12-06-2010 7:31 PM

0 Kudos

Hi Souvik

Souvik wrote

keep a provision that a particular user will not be allowed to access VD01

Couldn't help myself - edited - 'well then- don't give it them' .... sorry it was just too much of a temptation after a horrid day ;-(

What other access they have that causes the business concerns or is the question not specific to a particular user but for an interview? No problem with answering an interview question but would just appreciate knowing if this is a real or hypothetical problem...

Regards

David

Edited by: David Berry on Dec 6, 2010 7:36 PM

Go to solution
Former Member

‎12-10-2010 8:18 AM

0 Kudos

See if this is okay to you:

- create auth object Z_VD01_POISON, add it to a new role and assign to user not allowed to have VD01

- maintain VD01 user exit - SAPMF02D to disallow user who has object Z_VD01_POISON to save customer

Regards,

Donald