09-11-2013 11:48 AM
Dear All,
I am a ABAP'er but have received a issue for Roles.
We have a issue that a Role already had Authority Object S_ALV_LAYO assigned. After SAP Upgrade Authority object S_ALV_LAYO has only one activity i.e.23.
But if I display role from transaction SUIM then the Acitivity "03" is displayed and checked by default. But Activity "03" no longer exists a permitted activity for object S_ALV_LAYO it seems SAP has deleted it.
I debugged and found that this value come from table AGR_1251. Could you please advice how to sort this issue as the authority object S_ALV_LAYO is assigned to several roles? How can I adjust Roles so that deleted Activity are no longer displayed?
It seems that steps after upgrade i.e. tcode SU25 were not executed. Kindly advice.
09-12-2013 2:54 AM
Hi Abhishek
"It seems that steps after upgrade i.e. tcode SU25 were not executed" - seems you have answered your question?
That aside, debugging and finding AGR_1251 tables means you just found PFCG role contents. As Julius has advised - have your security team fix the role
In addition, if you think SU25 is contibuting (therefore SU24) you might want to check table USBOT_C and see if there are any S_ALV_LAYO values for ACTVT 03. Have security fix them and adjust all impacted roles. If, however, the PFCG entry (AGR_1251) is manually added to the role, then security need to go manually fix it.
In short, talk to your security team.
Regards
Colleen
09-11-2013 6:23 PM
What error(s) do the users get now that hte 03 value is assigned to the roles? If none, can't you just let them have the 03 activity, even if it is not being used anymore?
09-11-2013 6:55 PM
You use this authorization object to protect global default layouts of the ABAP
List Viewer (ALV).
The authorization object contains the following fields:
Activity
So that you can create, change or set default layouts, the authorization for
activity
23 - Maintain must have been added to your user master record.
you can use the tx SU24 for maintain the authorization default values
09-11-2013 6:41 PM
It is quite likely that an ABAPer also caused this problem or the old F7 trick in PFCG was used back then.
If the roles are intact with SU24 then simply use the merge function (ask the security admin what that means, they should know..).
Cheers,
Julius
09-12-2013 2:54 AM
Hi Abhishek
"It seems that steps after upgrade i.e. tcode SU25 were not executed" - seems you have answered your question?
That aside, debugging and finding AGR_1251 tables means you just found PFCG role contents. As Julius has advised - have your security team fix the role
In addition, if you think SU25 is contibuting (therefore SU24) you might want to check table USBOT_C and see if there are any S_ALV_LAYO values for ACTVT 03. Have security fix them and adjust all impacted roles. If, however, the PFCG entry (AGR_1251) is manually added to the role, then security need to go manually fix it.
In short, talk to your security team.
Regards
Colleen
09-24-2013 10:01 AM
Thanks for feedback. These issue happened as the steps after upgrade were not executed. So the steps via SU25 needs to be executed.