Thank you David!

I believe that our superiors have deemed the creation of custom table display transactions very time consuming for the development team. Do you have your Sec Admins create these custom table display / maintain tcodes or do you have your ABAPers do it?

You wrote: "If you go ahead and give access to SE16, you can specify a range for auth group in S_TABU_DIS and exclude the sensitive auth groups (like PA), but keep in mind that not all tables belong to an auth group."

Question: I don't see a way to do this and make it work since I need to restrict access to one table in several different auth groups... Any ides??

You wrote: "If it turns out later that there is some data within the table that you want to restrict (i.e. you want to restrict access to Company Code 1234), you can't do it. It's all or nothing in SE16."

Question: How could I restrict access by Company Code if I don't allow SE16??

Thank yo so much! You've enlightened a passionate SAP Security rookie!

I always have the ABAPers create the table maintenance transactions.

You said "I need to restrict access to one table in several different auth groups." First you should understand that a table can only belong to one auth group. Using SE16 you are restricting access using authorization object S_TABU_DIS. You populate the DICBERCLS field with the table authorization groups to which you want to provide access. Unfortunately, there is no way to list tables out individually. You either give access to all tables in the auth group or none.

If you have a need to restrict access to certain Company Codes (or anything else for that matter) within a table, then you are looking at custom code. Standard SE16 cannot accommodate this. You would have to create a table maintenance transaction to view the table, then perform an authorization check after the selection criteria is entered. If the user is authorized to view the requested records then let it proceed. If the user is attempting to view restricted data for which he does not have authorization then the transaction can either give him a hard failure or just filter out the data that he isn't authorized to see (warn him though). This isn't an easy solution and you wouldn't want to do this for many tables, but if the business really wants it then this will do it.

Hope this helps.

Short answer DO NOT use SE16.

have abapers create custom reports for this kind of requests.

If management does not allow that let them take the heat when you are sabled down during the first audit!!!

As no auditor will let this kind of thing pass!!

What do I need to worry about, transports wise, once I create a new Authorization Group using SE54 and associate some tables with it?

Please advise, and if possible, specify the transport steps.

Thank you!

Hi David,

after collecting table data,how to analyse access for users in scope.i e. where do we put the new transactions.

Thanks

Khaisere