Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Association of authorization group with authorization object

Former Member
0 Kudos

Dear Colleagues,

We are using ECC 6.0 system. There is a transaction EMMAC2 where in the user would pick the case categories & view/make changes as required in the cases.

However, we would like to have a user to pick only those case categories for which he/she is authorized & view/change the data.

This EMMAC2 is controlled by authorization object B_EMMA_CAS & this authorization object has field BRGRU (Authorization Group) along with ACTVT (activity).

We would like to control this via authorization groups

We would like to create authorizations groups based on case categories & those authorization groups would be assigned in this BRGRU field.

Meaning, the end result should be such that, when that new authorization group is added in BRGRU field & that role is assigned to an end user, the user should be able to see data only for those case categories for which the new authorization group has been created

If I use SE54 to create authorization group, it automatically associates itself with authorization object S_TABU_DIS & this does not solve my purpose.

But we would like to create a new authorization group & associate it with authorization object B_EMMA_CAS.

Can someone please let me know the steps on how to achieve it or any other method to achieve it(for above underlined text)?

Does a developer or functional consultant also need to be involved in this?

PS: I tried to search in Google & our forums but could not get any answers

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Hi Siddhartha,

The check table for authorization groups (BRGRU) is TBRG. To create authorization groups for a any authorization object with the BRGRU field, please create entries for the object - authorization group combination in this table. For example, you will notice that table authorization groups are maintained for the S_TABU_DIS object.

I am not sure if maintenence dialog is created for TBRG in your system. If not, you will either have to create a maintenance dialog or enter the values through SE16

Regards,

Aninda

14 REPLIES 14

Former Member
0 Kudos

Hi Sidharth,

If you create an authorization group using SE54 it will update the table TDDAT and the authorization object mapped to it will pick up the authorization group (including S_TABU_DIS).The transaction you are using can also be controlled using the authorization group you have created. Else you can do one more thing work with ABAP team and create a Z for of the tcode you are using and subsequent Z authorization objects and fields and there you try to maintain the authorization group that you have created in SE54.

Give a try.

Regards

MK

0 Kudos

Dear MK,

If I create authorization group via SE54, it gets mapped to S_TABU_DIS automatically. I want to create authorization group that should get mapped(or associate) to B_EMMA_CAS

I tried by SE54, but it does not work; by default it gets mapped to S_TABU_DIS.

In the table TBRG, I see some authorization groups that are mapped to other authorization objects.

I want to know: how that can be achieved

Former Member
0 Kudos

Dear Colleagues,

Can someone please throw some light on this?

Transaction EMMAC2 can just be treated as an example. Such requirement can exist for other transactions also.

I am sure many of our Security experts would have done this with some other transactions. The logic would remain same.

Basically, I would like to know on how to link a newly created auth group to an auth object.

Your help would be highly appreciated.

Regards,

Siddhartha

0 Kudos

I have seen this kind of settings done by functional people often in SPRO. What they say?

Regards,

Arpan Paik

0 Kudos

Dear Arpan,

Thanks for the reply.

Can you please let me know how this new auth group can be created?

By which transaction? I would like to create an auth group containing few case categories & then assign that auth group in B_EMMA_CAS; so that the user has access only to those case categories

Edited by: Siddhartha Varma on Mar 22, 2011 4:33 PM

0 Kudos

This message was moderated.

Former Member
0 Kudos

Hi Siddhartha,

The check table for authorization groups (BRGRU) is TBRG. To create authorization groups for a any authorization object with the BRGRU field, please create entries for the object - authorization group combination in this table. For example, you will notice that table authorization groups are maintained for the S_TABU_DIS object.

I am not sure if maintenence dialog is created for TBRG in your system. If not, you will either have to create a maintenance dialog or enter the values through SE16

Regards,

Aninda

0 Kudos

This message was moderated.

0 Kudos

Dear Aninda,

Thanks for the help.

I created an auth group via SE16 in table TBRG & associated to B_EMMA_CAS

A case category was then assigned to this auth group

We tested it - below are the results:-

1. The user is allowed to 'change' and 'display' the case for the case category for which the user is authorized: this works as per requirement.

2. The user is not allowed to 'change' case for the case category for which the user is not authorized: this works as per requirement.

3. However, he is able to 'display' cases for the case category for which the user is not authorized: this we do not want.

If I remove activty 03 (display), then the user is unable to display the case for the case category for which the user is authorized.

How to resolve this?

0 Kudos

Hi Siddhartha,

Probably those case categories does not have Authorization Group assigned to them. That is why your auth object B_EMMA_CAS with auth group is not being checked.

Try assigning auth group to one of the case category and test..

0 Kudos

Dear Nishant,

Those case categories have been assigned to other auth groups also

Meaning: other case categories do have other auth groups assigned to them

0 Kudos

Dear Experts,

Any clue or advise on this?

Do ABAP developers need to do anything in this?

0 Kudos

Hi,

it might be a bug. Have you searched for OSS notes? For example note 1537649.

Cheers

0 Kudos

Hi Martin & Aninda,

Thanks for the reply.

Application of OSS notes 1537649 & 1424857 has resolved the problem

Points awared