Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

check available authorization groups

Former Member

‎05-10-2011 8:43 PM

0 Kudos

Hi ,

if a custom table needs to be assigned to an authorization group in SAP.

Which is the transaction to check users assigned to an authorization group?

Currently i have an idea that Assigning and Creating authorization groups are dealt in SE54 but i cannot find a way to check

whether users are assigned to an authorization group...!!!

thanks

kritika

12 REPLIES 12

Former Member

‎05-10-2011 8:53 PM

0 Kudos

Check transaction Su53, if it helps. SU53 will list the Authorizations for that transaction from which you enter.

Also, for user groups, check if these tables help:

USR01 User master record (runtime data)

USR04 User master authorizations

USR07 Object/values of last authorization check that failed

USR10 User master authorization profiles

USR12 User master authorization values

USR13 Short Texts for Authorizations

USH04 Change history for authorizations

USH10 Change history for authorization profiles

USH12 Change history for authorization values

UST04 User masters

UST10C User master: Composite profiles

UST10S User master: Single profiles

UST12 User master: Authorizations

Regards,

Santosh

Former Member

‎05-10-2011 8:55 PM

0 Kudos

You can set a trace as well (ST01)

Former Member
In response to Former Member

‎05-10-2011 9:22 PM

0 Kudos

well i think these are for user's logging into SAP system ...

my question was to find user's allocated to authoriztion groups that are allocated to custom tables through SE54

SU53 : would display the authorization for aLOgged in USER.

Thanks

kritika

Former Member
In response to Former Member

‎05-11-2011 3:43 AM

0 Kudos

Hi,

User is usually no a authoriztion group. Only assign Role for user.

If you want check a authority for process person.

First, you must know the authorization object with SU21.

Second, you can add below code in program.

AUTHORITY-CHECK OBJECT 'L_TCODE' ID 'TCD' FIELD lv_tcode.

Then you can login SAP with you want check user id and processa this.

If the check not process, then you can go SU53 check with this id.

I know your mean want to have an authorization check, So you must know which authorization object you want to check for process. And not to know which group for user.

Regards,

Xeric

Former Member

‎05-10-2011 9:52 PM

0 Kudos

Check SUIM, if it helps.

Regards,

S. Verma

Former Member

‎05-12-2011 4:27 PM

0 Kudos

You do not assign users to an authorization group. The tables are assigned to an authorization group. You assign users the authorization object S_TABU_DIS in a role. The field 'DICBERCLS' is how you control what authorization groups a user can display or change.

Go to transaction SUIM.User -> Users by Complex Selection Criteria -> By Authorization Values.

Enter S_TABU_DIS as the authorization object and enter the authorization group. If you want to know what users can view the tables, enter 03 as the activity. If you want to know who can change the tables, enter 02 as the activity.

Execute.

Hope this helps,

Michael

Former Member
In response to Former Member

‎05-13-2011 5:40 PM

0 Kudos

In that case i need to assign an available authorization group to the custom table and through SUIM ...assign the authorization object to the users(from Business end) ?

Is that the process

former_member191735
Active Contributor
In response to Former Member

‎05-13-2011 5:52 PM

0 Kudos

Checking Assignment of Authorization Groups to Tables:

You can also assign authorization groups to tables to avoid users accessing tables using general access tools (such as transaction SE16). A user requires not only authorization to execute the tool, but must also have authorization to be permitted to access tables with the relevant group assignments. For this case, we deliver tables with predefined assignments to authorization groups. The assignments are defined in table TDDAT; the checked authorization object is S_TABU_DIS.

You can assign a table to authorization group Z000. (Use transaction SM30 for table TDDAT) A user that wants to access this table must have authorization object S_TABU_DIS in his or her profile with the value Z000 in the field DICBERCLS (authorization group for ABAP Dictionary objects).

See also:

· SAP Notes 7642, 20534, 23342, 33154, and 67766

· Documentation for RSCSAUTH

Hope this helps.... if not check the following link

If you still don't find, search google 'table authorization groups in sap' - There are good info on web.

You can assign the authorization group to any custom table via SE11 - table - display - utilities - assign authorization group and rest follow the sap help (where to maintain and how to assign) .This is a developer and security persons work.

Former Member
In response to Former Member

‎05-13-2011 8:27 PM

0 Kudos

as per the links provided regarding authoriztion groups , could check that users - have been assigned authorizaton object and in SE54 : under the authorization object a list of authorization groups are assigned .

A new custom authorization group can also be craeted .

But i dinit understand the folowing

A user that wants to access this table must have authorization object S_TABU_DIS in his or her profile with the value Z000 in the field DICBERCLS : in which transaction user profiles are checked

Can anyone guide m ethrough SUIM >> if that is the transaction for user profile

Former Member
In response to Former Member

‎05-13-2011 8:37 PM

0 Kudos

In table USR07 : A particular user have the authorization object as S_TABU_DIS and field : DICBERCLS

WHILE THE VALUE FIELDS CONTAIN : actvt

another value field contains the number : 02

another value filed contains : SA

As per th eunderstanding the user posses this authorization object and the authorization group SA where his activty would be : Allowed for maintenance since the value is 02.

Now the question is : Is there any t-code to check users assigned to authorization groups ? at the tabble level i could check the values

former_member191735
Active Contributor
In response to Former Member

‎05-13-2011 9:00 PM

0 Kudos

If you can show it to your security person (who assigns and maintains authorization in SAP), he would understand what that means.

For example: If you create an authorization object and checking in some report (for example) to restrict users not to execute but you only want to XYZ user to execute it. in this scenario, you would create authorization object and check in the program .... unless you assign the same authorization object to user(s), no user will be able to execute this report.

It is the same..... Define it and check it..... Assigning it to users is where you manage.

Please do some research. There are plenty of info on web. I don't exactly remember but there is even a SDN WIKI on this.

Edited:

you are looking at wrong place USR07.... Don't check it in that table and you won't understand anything.

Edited by: Sampath Kumar on May 13, 2011 2:01 PM

Clemenss
Active Contributor

‎05-14-2011 12:29 AM

0 Kudos

Hi,

create a small test program for users (probably all uname from usr02), do for each user

AUTHORITY-CHECK OBJECT u2018S_TABU_DISu2019 FOR USER usr02-bname
ID u2018ACTVTu2019 FIELD u201903u2032
ID u2018DIBERCLSu2019 FIELD u2018SCu2019.

Modify according to your needs.

Regards,

Clemens