03-23-2007 12:50 PM
Hi Experts
i need to lock few transaction for particular users only. we have n number of roles and the transactions have been assigned to some tcodes to be reasticted for a list of users. is there any method or program to built to restrict the users for few tcodes.is there any more query pl trigger me
regards
bala
03-23-2007 1:25 PM
Just assign roles that don't grant access to the tcodes...?
.. or am I missing something here?
03-24-2007 5:34 AM
Hi experts
i cant do by restricting the users by their roles. i will explaint details. consider if i want to restrict a tcode say se38 to few users who are in the list when i fetch roles which contains this tcode is many and moreover in some personal assigning roles are also available where the authorization was given like A* - P* and more one user assigned with atleast 15 roles where and there are mote then 25 users are assigned - by understanding these type of tediousness i preferred a program or any solution to restrict the users for pariticular tcodes
regards
bala
03-24-2007 6:08 AM
Hi Bala ,
In my view the best way to approach the problem is to copy the role by using PFCG Transaction and remove the Tcode that is not required to be assigned to the particular user from the newly copied role and then assign the user that role .
Hope this will help or am i missing something ,
Regards ,
Sagar Barman
03-26-2007 4:49 PM
I understand what you are saying and I come across situations like this all the time. It seems that your company didn't develop a proper role design and management strategy - you wouldn't have transaction ranges otherwise!
You are looking for a method would be a shortcut to avoid having to go through the 'pain' of a strong role design. If your roles are designed top-down and are derived for the business units/regions, then the role numbers/design should be very easily manageable. It's an initial investment of time that pays off very quickly. I would consider revisiting your role strategy so that it suits your business and compliance needs.
03-27-2007 5:13 AM
Hi bala,
as per ur second post, rather going for programming i prefer to go with authorizations A* - P*
Cheers,
Siva
03-24-2007 6:15 AM
hi
sagar:
as you said if i start creating roles to restrict some users then there atleast 25 tcodes are there to restrict and 120 roles are to be analyzed and the job becomes hefty by creating roles and there will too many number of roles and it becomes confusion in future forecast. there fore i nedd any suggestion like that the userscan be restricted when they are trying to access that particular code or lock the screen or inform them to not access these tcodes thro some message or writing a program to restrict the users while the user exits. i have an idea but i dont know how it will work - ( I am not a ABAPER) there should be tcode or program which should list tcodes authorized for particular users and where they can be locked like SM01 ( but it will lock for all) but locking for particular users
Am i more advanced??
regards
bala
03-24-2007 11:43 AM
Hi Bala,
A few days back, I had to do similar task.
I had copied the roles through PFCG and removed the transactions, which were not to be given to a set of users.
If you get the solution, please let me know.
-Nandu More
03-26-2007 7:49 AM
Hi Bala,
You can actually create a new role by copying the existing role and then Inactivate the authorization objects those you dont need.
Hope it helps.
please reward points if it is useful.
Thanks & Regards,
Santosh
03-26-2007 7:50 AM
Hi Bala,
You can actually create a new role by copying the existing role and then Inactivate the authorization objects those you dont need.
Hope it helps.
please reward points if it is useful.
Thanks & Regards,
Santosh
04-04-2007 4:16 AM
HI Bala,
What you can do is assign the users to a seperate user group.
Once the users are in a seperate user group, you can go to the individual security roles and restrict the access to particular transactions by maintaining the auth object S_USER_GRP.
Again, this might not be the most feasible method if your transactions are across many roles which would need that you need to maintain each one of the individual roles.
Let me know if this helps, or I can suggest alternative methods.
Cheers,
Satish
04-04-2007 7:33 AM
Hi,
Let me frankly tell you that the tcodes are role specific. You cannot restrict a particular transaction for a user without creating the role/profile or without dealing with the Auth. Obj.
So the only solution is to create the roles in prior and assign them as per your buisness need.
What you want if i have understood properly cannot be done.
Hope this helps you to finally decide that since now you always take a decision before hand as a whole and plan for future as well while planning for the present.
In case you get to know something different great to know..do share.
Reward with points.!!!!!!