02-10-2014 2:02 PM
Hello,
I have a requirement to authorize a user for quotations and sales order pdf export but to restrict the excel export of a specific report for the same user.
I saw that S_GUI authorisation is responsible for document export. But I don't know how to allow the 61 Export activity for some transactions and to exclude it for others.
I tried to define two different roles, one with and the other without S_GUI 61 Export authorisation.
If I assign only one role at a time than the user has the authorisation according with the role . If I assign both roles to the same user them he has authorisation for all exports.
Can someone tell me what can be done to achieve this?
Regards,
Daniela
02-10-2014 3:08 PM
Hi Daniela,
The fact that the S_GUI object only has one field should already tell you that you can not restrict on specific files. So for downloading via the front end it is an all-or-nothing situation.
Maybe there's an option to download the pdf's to a different file/server/location regularly so the user can pick them up from there.
Jurjen
02-10-2014 3:08 PM
Hi Daniela,
The fact that the S_GUI object only has one field should already tell you that you can not restrict on specific files. So for downloading via the front end it is an all-or-nothing situation.
Maybe there's an option to download the pdf's to a different file/server/location regularly so the user can pick them up from there.
Jurjen
02-12-2014 3:23 PM
Hello Jurjen,
You're right. It's an all-or-nothing situation.
We created a new user only for reports whit no export authorisation.
For the existing users we exclude the reports and kept the sales transaction with export authorisation.
Regards,
Daniela
02-10-2014 10:51 PM
Hi,
when you do Where used for S_GUI object you will see that it's not used on many places. So you could introduce new authorization object with more granular access control (e.g. transaction code) and then use enhancement framework to add check for this new object everywhere where S_GUI is checked.
Cheers
02-12-2014 3:18 PM
Hello Martin,
Thank you for the proposed solution.
As I said to Julius I'm doing only the authorisation. No enhancement.
Regards,
Daniela
02-10-2014 11:09 PM
If this is your own report, then you can very easily control it via the user command to create the PDF.
This is then a functional restriction of the command which clears the field value and not something authorization dependent.
If it is a standard transaction then you will have more success using sy-repid and sy-dynnr to clear the field as a condition than sy-tcode (my opinion).
Cheers,
Julius
02-12-2014 3:15 PM
Hello Julius,
This is not my report. I'm not an ABAP programmer.
I'm doing only the authorisation.
Regards,
Daniela