09-08-2016 4:49 PM
Hello Experts,
I have come across a situation wherein after launching ES62 -> Environment-> Data , we can see Contract accounts(CAA3), how could we restrict it?
Regards
Piyush
09-09-2016 9:58 PM
Hey Piyush,
You can try to restrict the contracts by authorization objects of the role, and also check if don´t exist object superposition.
Regards
09-12-2016 7:42 AM
Hello Cristiano,
I tried tracing the user but unfortunately didn't find any authorization object which I could restrict. Could you please look into it? Also, could you please enlighten on object superposition.
Regards
Piyush
09-12-2016 1:36 PM
Hello Piyush,
Did you find some roles in the SUIM typing the transaction ES62? So you have to see the activity of these objects and the contract field in all roles because if you have a activity with * in a role and in another role you have the same object with activity 3, in the end you have the object with activity *, 3 with access to the contracts of those roles.
Regards
09-12-2016 1:43 PM
Hello Cristiano,
I am not sure which Auth. object I need to look into because as I mentioned I didn't find any auth. object which I could restrict to prevent switching from ES62 to CAA3
regards
Piyush
09-12-2016 1:51 PM
Did you used this transaction to search S_BCE_68001425/ selection by assigned transactions in menu?
09-12-2016 2:07 PM
I used SUIM and then "Role" >> By Transaction "ES62". I could find several role including this transaction. I am sure I am somewhere mistaking from what you are are trying to suggest. I am not certain how to find out the Auth. code which I need to restrict. Also, if I use the transaction you suggested, it takes me to Role by complex selection criteria. What details do I need to fill there?
Piyush
09-12-2016 2:24 PM
Following the stpes bellow you will see the autorization objects. And now youu have to search the auth code of the contract CAA3. Expand the subtree until find the auth obj.
Example:
09-14-2016 8:11 AM
Hello Cristiano,
Here is what I tried:
1) Tcode S_BCE_68001425
2) Entered Role and Using Profile Assignment tab, looked into all the profiles.
3) Found two Autho. object related to contract account as:
E_Contract
&
F_KKKO_BUK
4) Tried removing the access to both Auth. Objects also tried disabling both Auth. Objects, still didnt work. Still able to CAA3 within ES62
Regards
Piyush
09-14-2016 2:13 PM
Hello,
Great!
So now in the same transaction you can search selection according authorizations values.
Type the objects and entry values, will show you the roles that have those objects.
After this you check the configuration of those objects in the roles.
But I don´t think those objects have the contract account, so you can check on SUIM - authorizations objects - auth by comple criteria - auth.object text and search by contrac* and then you see if some object have the contract account.
regards
09-15-2016 12:13 PM
Hello Cristiano,
I tried suggested steps, and I found below screen.
However when I went to respective role, I didn't find this Authorization object. Not sure from here. Please help
**To add, I tried finding out all the role with : ES62-> F_KKVK_FDG -> ACTVT: * in S_BCE_68001425 t-code
I found several roles. But does that give any clue for me? How could a value of any field related to a different role?
Please suggest.
Regards
Piyush
09-15-2016 2:27 PM
Hey
You must search the role with : ES62-> F_KKVK_FDG -> FLDGR_FICA: CAA3 and ACTVT: * in S_BCE_68001425 t-code,
Or you can search all users role with CAA3 or * object field that contains contract text.
So this way you will find the authorization object that allow access to se CAA3 contracts acount.
Regards
10-03-2016 10:21 AM
Hello Cristiano,
Thanks for the reply. I tried with below options this time:
And found several roles. However not the one where I need to restrict CAA3. Also, please correct me, I believe if the concerned role doesn't have this Authorization Object F_KKVK_FDG or Authorization field FLDGR_FICA, it won't be affected by any other role? Please suggest
Regards
Piyush
10-03-2016 9:00 PM
10-03-2016 10:09 PM
Hello Cristiano,
That was my first attempt to try ST01 and unfortunately I didn't find any object to restrict while switching to CAA3 from ES62.
Is there any way, I can try restricting it in S_TCODE?
Regards
Piyush
10-04-2016 11:42 PM
Hi Piyush,
This looks like an internal call.
1. Could you please trace it again, and look out for objects like P_TCODE or I_TCODE. These objects are responsible for authorization checks on internal calls of transactions.
2. Check the existing value provided in this object as of now in the role.
Thanks,
Rajesh
10-05-2016 2:26 PM
Hello Rajesh,
Thanks for looking into this.
1) I performed trace and didn't find these two objects anywhere while switching to CAA3 from ES62
however I did find I_TCODE in the Authorization tab in Role where I see Tcodes: IE03, IQ03 and IQ09. What can I do in this case?
2) As mentioned above.
please suggest.
Regards
Piyush