10-17-2012 7:13 AM
Dear SAP Basis /Security ,
When we assign some users to a specific TCodes , user keep facing issue with missing authorization and we keep do /SU53 till we got all authorization object need.
Is there any way to a void such missing authority by adding all required authorization objects at once ?
Thank you,
Anas Almomani
10-17-2012 7:31 AM
HI Anas,
To avoid this kind of problem, i suggest that you have to create a role with the tcodes the users will need and have this tested in you development. During the test, you will know if the user will have missing authorization objects. Add the missing auth objects and re-test until you have an all-green SU53.
Transport this role to the PRD for the users to use.
Regards,
Rod
10-17-2012 7:59 AM
Thank you Rodel for your reply .
Your answer is helpful and i have tried and this what i do to resolve this issue .
but in big origination , we receive many request of this type and we could not perform test scenario for each TCode .
But what am looking for, is there some Table or report in SAP or any way to find the all required objects needed without doing the test scenario .
10-17-2012 8:37 AM
Yes Anas,
Use report RSABAPSC this will let you know all auth objects being cheked for a particular t-code or program.
Regards,
Amit
10-17-2012 7:45 AM
Hi Anas,
Also, once the tcode is added in a role in PFCG, go to Authorization tab-> click Edit/Pencil -> Click +New Button (beside +Maintained).
That will expand all the affected authorization objects. You will then edit those authorization objects.
Regards,
Rod
10-17-2012 7:50 AM
Dear Anas,
I assume this issue is reported in production environment.
Provide SAP_ALL to user in DEV/QA system and put a trace (transaction ST01) on his user id and then ask him to execute the concerned T-code and perform his activity. Once he is done switch off the trace and read the trace report file which will have all the authorization objects (along with values) being checked when he was doing his activity.
Make sure user is having access to all these auth objects (with same values as captured in trace) in his roles in production. This will solve the issue.
Regards,
Amit
10-17-2012 9:24 AM
I really would not advise that.
10-17-2012 9:58 AM
Hi Will,
10-17-2012 10:12 AM
Hi Amit,
I'm only kidding you, but you get my point, I'm sure?
10-17-2012 9:34 AM
You'll be lucky to get it right first time every time - this is where testing is so important.
Some things that you can do to ensure a better chance of getting it right are:
I also like to produce a pivot table before the role is transported to QA, which shows the functional team every object in the role down to field level and the values that the role contains. The functional consultants are much better placed to tell me, for example, what Chart of Accounts I should add to role.
10-17-2012 12:56 PM
Thank you All of you info , it is helpful.
I want to ask if we can use Transaction SU24 to find required objects by choosing object checked with yes in SU24.
Thank you,
Anas Almomani
10-17-2012 3:01 PM
Hi Anas,
It is a good question actually and every security administrator at some time faces this issue.
Definitely you can use t-code SU24 to find required objects for that T-code by choosing object checked with yes and maintain the appropriate values for these yes objects in the role at the first time when you are adding the T-code in any of the role. Before maintaining the values for yes auth. objects in the role, please consult with the business user for appropriate field values so that we can restrict the user for required values only.
Thanks,
Varun Jain
10-17-2012 7:37 PM
Hi,
I think it´ll be much easier for what you´re trying to achieve if you display the table USOBT_C. It will basically give you the same info as what you can see in SU24 transaction. Keep in mind that whatever you find there is what SAP put there as a reference and "recommendation" (specially the proposed values), which means that you will still always find errors IF during the implementation project phase proper testing wasn´t performed.
As for the long run, the experience says that maintaining this table via mentioned transaction plus proper testing and documentation is the key to have successful role build and thus the maintenance efforts are be minimal
Good luck!
Thanks,