on 08-13-2015 8:59 AM
Hi Gurus,
my aim is to avoid specific users to display customers with specific account group (XD03 transaction)..
In order to do this I've implemented Auth object F_KNA1_GRP specifying ACVT = 3 (display) and the range of admitted KTOKD.
Then I've associated F_KNA1_GRP to tr code XD03 (SU24 transaction) and with tr code PFCG i've modified A_FBD(CLI) including the Account Group check.
It seems not run. Could you please help me in indentifying which shoulfìd be the correct step to be performed (if it's possible step by step since i'm new for what regards profile maintenance)?
Let me know.
Many thanks
Angelo Gaiatto
Hi Angelo,
Few questions to understand your situation
1.Have you made check as 'Yes' for authorization object F_KNA1_GRP for t-code XD03 in t-code SU24?
2.Have you created a custom role 'A_FBD(CLI)' with authorization object F_KNA1_GRP with values only required for user to be visible?
3.Have you assigned the above role to the required users?
If answer to the above questions is yes then what is the error or issue you are getting if possible share the trace data or explain clearly the issue with screenshots.
Regards
Pradeep
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Angelo,
I have found few problems with your implementation.
1.In your PFCG role why activity 01,02 is provided when it was only display '03' activity.so please remove activity 01 & 02(Create or Change or any other activity present like Delete etc).
2.I asked for ST01 trace and not SU53.So please switch on the trace before executing the steps and then switch off and attach the same screenshot for further analysis.
Hope this helps.
Regards
Pradeep
F_KNA1_GRP is checked actually in XD03 (at least in my test system 6.0 Ehp4) and appears in trace log files with correct values.
Did you run the test with an user that has only this new role with restricted XD03 display assigned? If not - have you checked for cross-authorizations? Did you already eliminate sync issues, problems during transport (if you are not performing the tests in the same system)?
One possible reason why you did not manage to select any entries from ST01 log could be also different time zones (user vs server) - if it is the case: just enter a wider time range for log selections.
F_KNA1_GRP was already set by default in SU24 for XD03 to Check with proposal = YES in my system, the only difference to your screenshot is that KTOKD is set to ' ' ; ACTVT is set to '03'.
So... this trace is run with a test user with only one profile assigned (for the role for which you provided screenshots earlier)? And the values maintained for object F_KNA1_GRP in the role are exactly the same as the values in SU24 which you maintained? And user comparison was successfully executed from PFCG?
Did you also check in AUTH_SWITCH_OBJECTS (also accessible from SU25) whether somebody had deactivated the checks for F_KNA1_GRP globally in this system?
By the way - it would be better to check against what is actually set for this authorization object in the test role instead of relying on the information of screenshot from SU24, as there can be some deviations.
Hi Angelo,
Just ensure that all the relavant Values in Field KTOKD under object F_KNA1_GRP has to be maintained correctly before executing the T-code XD03 in role by Using PFCG T-code for changing that.
After maintained the respected values in the above auth object mentioned and still getting issues,please share the error screenshots.
Thanks,
Kumar
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Moving back to SD , as the applicaiton must know, what is checked when where and how.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
hi angelo,
F_KNA1_GRP is a standard assignment/check to XD03. what have extra you done in SU24, also could you clarify ' A_FBD(CLI) '
Regards
Plaban
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Plaban,
with SU24 I've check all the auth check assigned to XD03 verifying that within F_KNA1_GRP the linjked specific account group.
With PFCG I've checked role A_FBD(CLI) in particular authorization data to see if it's linked to Customer: Account Group Authorization.It seems all correct but when I call XD03 transaction the system seems not pass through F_KNA1_GRP.
Many thanks
Angelo
Hi Plaban,
I suppose A_FDB (CLI) i s a custom role created by our tech department.
Since It hasn't a Z* ad first letter I was thinking it was standard...
Below the trace (SU53 XD03): it's seems that F_KNA1_GRP isn't called by XD03.
For completeness SU24:
And PCFG:
Any help will be appreciated.
MAny thanks
Angelo
Moved from SAP ERP Sales and Distribution (SAP SD) to Security
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
108 | |
12 | |
11 | |
6 | |
5 | |
4 | |
3 | |
3 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.