03-21-2011 12:49 PM
Dear Colleagues,
We are using ECC 6.0 system. There is a transaction EMMAC2 where in the user would pick the case categories & view/make changes as required in the cases.
However, we would like to have a user to pick only those case categories for which he/she is authorized & view/change the data.
This EMMAC2 is controlled by authorization object B_EMMA_CAS & this authorization object has field BRGRU (Authorization Group) along with ACTVT (activity).
We would like to control this via authorization groups
We would like to create authorizations groups based on case categories & those authorization groups would be assigned in this BRGRU field.
Meaning, the end result should be such that, when that new authorization group is added in BRGRU field & that role is assigned to an end user, the user should be able to see data only for those case categories for which the new authorization group has been created
If I use SE54 to create authorization group, it automatically associates itself with authorization object S_TABU_DIS & this does not solve my purpose.
But we would like to create a new authorization group & associate it with authorization object B_EMMA_CAS.
Can someone please let me know the steps on how to achieve it or any other method to achieve it(for above underlined text)?
Does a developer or functional consultant also need to be involved in this?
PS: I tried to search in Google & our forums but could not get any answers
03-23-2011 3:03 AM
Hi Siddhartha,
The check table for authorization groups (BRGRU) is TBRG. To create authorization groups for a any authorization object with the BRGRU field, please create entries for the object - authorization group combination in this table. For example, you will notice that table authorization groups are maintained for the S_TABU_DIS object.
I am not sure if maintenence dialog is created for TBRG in your system. If not, you will either have to create a maintenance dialog or enter the values through SE16
Regards,
Aninda
03-21-2011 3:15 PM
Hi Sidharth,
If you create an authorization group using SE54 it will update the table TDDAT and the authorization object mapped to it will pick up the authorization group (including S_TABU_DIS).The transaction you are using can also be controlled using the authorization group you have created. Else you can do one more thing work with ABAP team and create a Z for of the tcode you are using and subsequent Z authorization objects and fields and there you try to maintain the authorization group that you have created in SE54.
Give a try.
Regards
MK
03-21-2011 4:19 PM
Dear MK,
If I create authorization group via SE54, it gets mapped to S_TABU_DIS automatically. I want to create authorization group that should get mapped(or associate) to B_EMMA_CAS
I tried by SE54, but it does not work; by default it gets mapped to S_TABU_DIS.
In the table TBRG, I see some authorization groups that are mapped to other authorization objects.
I want to know: how that can be achieved
03-22-2011 3:38 PM
Dear Colleagues,
Can someone please throw some light on this?
Transaction EMMAC2 can just be treated as an example. Such requirement can exist for other transactions also.
I am sure many of our Security experts would have done this with some other transactions. The logic would remain same.
Basically, I would like to know on how to link a newly created auth group to an auth object.
Your help would be highly appreciated.
Regards,
Siddhartha
03-22-2011 3:42 PM
I have seen this kind of settings done by functional people often in SPRO. What they say?
Regards,
Arpan Paik
03-22-2011 4:30 PM
Dear Arpan,
Thanks for the reply.
Can you please let me know how this new auth group can be created?
By which transaction? I would like to create an auth group containing few case categories & then assign that auth group in B_EMMA_CAS; so that the user has access only to those case categories
Edited by: Siddhartha Varma on Mar 22, 2011 4:33 PM
03-23-2011 4:05 PM
03-23-2011 3:03 AM
Hi Siddhartha,
The check table for authorization groups (BRGRU) is TBRG. To create authorization groups for a any authorization object with the BRGRU field, please create entries for the object - authorization group combination in this table. For example, you will notice that table authorization groups are maintained for the S_TABU_DIS object.
I am not sure if maintenence dialog is created for TBRG in your system. If not, you will either have to create a maintenance dialog or enter the values through SE16
Regards,
Aninda
03-23-2011 2:43 PM
03-31-2011 4:30 PM
Dear Aninda,
Thanks for the help.
I created an auth group via SE16 in table TBRG & associated to B_EMMA_CAS
A case category was then assigned to this auth group
We tested it - below are the results:-
1. The user is allowed to 'change' and 'display' the case for the case category for which the user is authorized: this works as per requirement.
2. The user is not allowed to 'change' case for the case category for which the user is not authorized: this works as per requirement.
3. However, he is able to 'display' cases for the case category for which the user is not authorized: this we do not want.
If I remove activty 03 (display), then the user is unable to display the case for the case category for which the user is authorized.
How to resolve this?
03-31-2011 6:11 PM
Hi Siddhartha,
Probably those case categories does not have Authorization Group assigned to them. That is why your auth object B_EMMA_CAS with auth group is not being checked.
Try assigning auth group to one of the case category and test..
03-31-2011 6:33 PM
Dear Nishant,
Those case categories have been assigned to other auth groups also
Meaning: other case categories do have other auth groups assigned to them
04-06-2011 11:05 AM
Dear Experts,
Any clue or advise on this?
Do ABAP developers need to do anything in this?
04-07-2011 12:25 AM
Hi,
it might be a bug. Have you searched for OSS notes? For example note 1537649.
Cheers
05-10-2011 5:11 PM
Hi Martin & Aninda,
Thanks for the reply.
Application of OSS notes 1537649 & 1424857 has resolved the problem
Points awared