How to restrict FBL1N only to display access

Former Member · ‎08-18-2011

Hi,

I need some help in restricting access for FBL1N. The requirement is the user should be able to only display the vendor items for the given opcos. I created a test role for this tcode and maintained the activity for all the auth objects to 03. But still user is able to change the vendor details. When ran trace, it was showing the access to Tcode FB02. but not sure how the test user is getting this access as the test role does not contain FB02 and user does not have any other role. Please advise

Regards

Kavitha

Former Member · ‎08-18-2011

Hello,

did you copy the test user from another user? Check if the user has some separate profiles via the tab Profiles in transaction SU01 that are not belonging to a role.

regards

Christian

Former Member · ‎08-18-2011

Hi Christian,

Thanks for your response. I did notice that user was assigned SAP_ALL which was the giving the access. It works fine now.

Regards

Kavitha

Former Member · ‎08-18-2011

Hi Kavitha,

FBL1N internally calls lots of tcodes and FB02 is one among them. Check the table TCDCOUPLES.

I don't think this restriction is possible only with adding 03 activity for the F_LFA1* and F_BKPF* objects.

If you check FBL1N in SU24, there are a few other authorization objects that are in check state. You need to make them check maintain and further maintain the activites in the individual roles.

However, this may impact on the current roles that have FBL1N transaction code.

Hope this helps!!

Regards,

Raghu

Former Member · ‎08-18-2011


Hi Kavitha,
> 
> FBL1N internally calls lots of tcodes and FB02 is one among them. Check the table TCDCOUPLES.
> 
> I don't think this restriction is possible only with adding 03 activity for the F_LFA1*  and F_BKPF* objects. 
> 
> If you check FBL1N in SU24, there are a few other authorization objects that are in check state. You need to make them check maintain and further maintain the activites in the individual roles.
> 
> However, this may impact on the current roles that have FBL1N transaction code.
> 
> Hope this helps!!
> 
> Regards,
> Raghu

Despite the SAP_ALL removing the authorization problem.... I would like to enquire about this post.

Can you please explain each of the statements you have made and provide some evidence?

If the user has the correct authorizations then they are are wrong and the "check" and "check/maintain" status has no impact on the coding in customer type systems.

Cheers,

Julius

Former Member · ‎08-19-2011

Hi Julius,

The FBL1N is calling FD02 tcode internally. The authorization objects F_LFA1* are with CHECK status in FBL1N. I infer that it is giving FB02 maintain access by default and hence recommended to verify and make them CM.

Regards,

Raghu

Former Member · ‎08-19-2011

Hi

I remember the FBLxN transactions being in the delivered RAR rulkeset and we had FB02 added to it so that FBLxN were okay so long as the user didn't also have FB02 so I think the user can't access it indirectly (check bypassed)?

FBLxN are purely display without FB02?

Regards

David

Former Member · ‎08-19-2011

Hi David & Julius,

I agree. I've just replicated it in my sandbox and you are right.

Thanks!

Regards,

Raghu

Former Member · ‎08-20-2011

This message was moderated.

former_member957466 · ‎09-29-2014

This message was moderated.