11-28-2011 7:32 AM
Hello Everyone!
I'm trying to maintain authorization profiles for SAP Functional Consultants. I want it so that QM Consultant has authorization for using all QM T-Codes & can do only QM Customization, same for SD, MM and so on...
For this I've maintained a profile for MM in SU02-added all MM related objects, and have activated it.
But once I assign it to a user he's neither able to use the basic T-Codes like MM01-2-3 or ME21-2-3n nor able to do advanced customizations.
Is there a catch I'm missing here?
Any help would be appreciated.
Thanks!
Tejasav Kalra
11-28-2011 7:57 AM
Hi
You should be creating roles instead of profiles for access requirement. In your case for sake of resolution; I hope you have provided s_tcode access inside the profiles. You can check via su53/st01 where the auth checks are failing.
Hope this helps
Prashant
11-28-2011 10:11 AM
Dear Prashant,
I usually use PFCG to create roles, but creating consultants' profile is a challange. They need to have access to config. t-codes. So i had to resort to SU02 for adding different authorizations to composite profile. What do you suggest?
Dear Alex,
We're working on ECC 6.0
Thanks!
Tejasav Kalra
11-28-2011 10:32 AM
Hi Tejasav,
I would suggest you to add the authorization objects to a role & then generate the profile through PFCG. Assign this role to the users. If you assign only the profile to users, the PFCG_TIME_DEPENDENCY job will remove the profile form the user as there is no associated role against it.
Regards,
Dipesh
Edited by: Dipesh Dutta on Nov 28, 2011 11:33 AM
11-28-2011 4:37 PM
Hi,
As you are on ECC6 I really wouldn't waste time with profiles. I'm not sure what your profile design looks like but you'll need transaction start auths (S_TCODE) along with the auth objects. [For those newbies out there, once upon a time S_TCODE didn't exist as a check and everything was provisioned through a limited subset of auth objects granting access to functionality areas]
Use PFCG to achieve this as with SU24 configured you will (usually) get the right auth objects pulled through into your role when you add a menu transaction.
While it would be best to start from fresh using a role, you could do as previously recommended and import your profile into a role and then pick up maintenance from there. It will be messy but one step better than chopping about with profiles.
11-29-2011 10:55 PM
[For those newbies out there, once upon a time S_TCODE didn't exist as a check and everything was provisioned through a limited subset of auth objects granting access to functionality areas]
No cookies for you for making me feel old!
11-28-2011 9:31 AM