12-12-2011 4:03 PM
Happy Holiday's everyone!
We have a custom tcode for Pricing Admin report which currenltly only has S_Tcode for an auth obj. It was combined in a role that we removed the HR authorization from and apparently these were interdependent but undocumented. Now the pricing transacation no longer functions.
Instead of just adding back the missing HR authorizations back into the custom Tcode I'm being asked if we can restrict PA00002 (the table being called in the program) to first name, last name and personnel number fields. Is there an authorization object that will let me restrict in this manner or do I need send this back to the developers to write in the code?
Or can I restict to these fields via authorization groups (something we are looking into implementing more next year).
Thanks
Kris Wise
12-12-2011 5:40 PM
That is a bad omen for the next year...
Try to change the code this year still to deliver only the fields you want from the infotype or go for an "existence check" which no authorization requirements as that is what you seem to be wanting.
Being custom code, you should post the problematic part to discuss a solution.
Cheers,
Julius
12-13-2011 12:24 PM
Hi,
It is not possible to restrict a part of IT0002 through Authorization Objects, neither with the concept of Authorization groups.
The only way you can do it is through creation of a new screen element for IT0002 and using that in your ABAP Program. This is not Security's cup of tea.
Thanks, Deb
12-13-2011 8:12 PM
the program developer tied a customer table to the HR table. solution looks to be to run this as a batch job and send to customer short term and decide if short term continues as long term or we redevelop program.
Thanks everyone! I hope you all have a safe and happy holiday.
K Wise
12-13-2011 8:20 PM
Sounds like the original spec of the BW, except they called them extractors and infocubes..