The purpose of creating Z authorization groups for Z table is to allow table maintanence only to specific table, so if you maintain activity 02 in S_TABU_DIS and only specify the Z authorization group to which the table (to be updated)is added in authorization group field, then that should restrict access as needed

Regards,

Sushma

Hi,

If you assign ZMN1 auth group under S_TABU_DIS then it allows access only to the tables which are assigned to this auth group.

Instead of giving access to SM30, as a best practice you can ask them to create a custom Tcode for that table which needs to be restricted and you can give access to that tcode(table).

Regards,

Rama

Hi Nag,

If you are sure that 02 &NC& is not made available to the user via any other role or S_TABU_DIS object then the ZMN1 restriction should work good for your Z table maintenance. Your understanding is correct..

~Sri

Dear Nag,

&NC& refers to "Without Authorization Group" so you need to give authorization group for all Z tables then you can restrict authorization for your tables.

Eg:ZABC table has authorization group as ZA and if you want to give authorization for table ZABC you have to provide respected authorization group ZA with S_TABU_DIS authorization object. you can restrict here with display 03 activity and change with 02 activity.

hope it will help you.

Hi Nag,

Yes you are correct user will not be able to get authorization to maintain all tables since &NC& is not maintained in S_TABU_DIS.

You can assign the role to user with specific authorization group (for example ZMN1) however user will be able to maintain all the tables having authorization group ZMN1 which may lead access to sensitive tables also having this authorization group.

I would suggest you to create a custom T-code ZSM30 with SU24 values having a custom authorization object Z_TABU_DIS and the fields for Z_TABU DIS should be activity, auth group and the table name. With this you will be able to restrict the user to maintain a particular table with authorization group provided to that table.

Hope this helps.

Thanks

Hi,

Greetingsu2026

Sm30 transaction is used for table update,Tables are restricted upon authorization group, every table has an authorization group, that can be checked in table TDDAT, how ever for tables which do not have any auth group in that case @ role level in S_TABU_DIS we maintain &NC& that means no authority check and user will get access to update the table, how ever to avoid this to be happened, we can create a authority check/ restriction on the table name to be updated. If you have a role with S_TABU_DIS having activity 02 and auth group as ZMN1 then you can update all those tables that can have auth group = ZMN1

Just create object Z_TABU_DIS similar to S_TABU_DIS for Ztables with an additional check for table name,Also if your basic concern is to restrict update access for tableu2019s then remove update access from table and replace it with display access activity =03

Regards,

Sandeep

Hi,

Greetingu2026

Sm30 transaction is used for table update

Tables are restricted upon authorization group, every table has an authorization group, that can be checked in table TDDAT, how ever for tables which do not have any auth group in that case @ role level in S_TABU_DIS we maintain &NC& that means no authority check and user will get access to update the table, how ever to avoid this to be happened, we can create a authority check/ restriction on the table name to be updated. If you have a role with S_TABU_DIS having activity 02 and auth group as ZMN1 then you can update all those tables that can have auth group = ZMN1

Just create object Z_TABU_DIS similar to S_TABU_DIS for Ztables with an additional check for table name,Also if your basic concern is to restrict update access for tableu2019s then remove update access from table and replace it with display access activity =03

Regards,

Sandeep