Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

block particular access

Go to solution
Former Member

‎06-15-2007 5:48 AM

0 Kudos

hi

the user have SAP_ALL and SAP_NEW profile.

but i want to block particular client in scc4.

i mean they not able to edit the client

how to do ?

need help

Message was edited by:

Lee green

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎06-15-2007 7:05 AM

0 Kudos

First create a z role in PFCG

Go to Authorization tab -> click on change authorization tab -> do not select any of the templates

Next click on the menu item Edit -> insert authorizations-> from profile

Enter SAP_ALL

This will insert the authorization object corresponding to SAP_ALL profile

Repeat the same procedure for the profile SAP_NEW

Next step is to find the authorization object corresponding to transaction SCC4 using tc SU22

Inactivate the authorization object corresponding to SCC4 in PFCG.

I think this might work but it is a long and tedious process

Regards,

Sowmya

6 REPLIES 6

Go to solution
Former Member

‎06-15-2007 5:55 AM

0 Kudos

Hi,

I think you need to create a Z role in <b>PFCG</b> which blocks the access of transaction code <b>SCC4</b> and then assign this role to the users.

Regards,

Sowmya

Go to solution
Former Member

‎06-15-2007 5:57 AM

0 Kudos

.

Go to solution
Former Member

‎06-15-2007 6:37 AM

0 Kudos

Hi Lee,

It is impossible, even if you block the access to the transaction to SCC4 through other role, they will get the authorization from SAP_ALL profile.SAP also doesnot recommend to give SAP_ALL and SAP_NEW to the users.First remove these profiles from the users and give them a new set of roles based on their functionality.

Regards,

Bharath

Go to solution
Former Member
In response to Former Member

‎06-15-2007 7:59 AM

0 Kudos

Simply do not give SAP_ALL to anyone, only use roles created with PFCG!!!

Go to solution
Former Member

‎06-15-2007 7:05 AM

0 Kudos

First create a z role in PFCG

Go to Authorization tab -> click on change authorization tab -> do not select any of the templates

Next click on the menu item Edit -> insert authorizations-> from profile

Enter SAP_ALL

This will insert the authorization object corresponding to SAP_ALL profile

Repeat the same procedure for the profile SAP_NEW

Next step is to find the authorization object corresponding to transaction SCC4 using tc SU22

Inactivate the authorization object corresponding to SCC4 in PFCG.

I think this might work but it is a long and tedious process

Regards,

Sowmya

Go to solution
manohar_kappala2
Contributor

‎06-15-2007 6:34 PM

0 Kudos

Hi,

If you want to give access to SAP_ALL and SAP_NEW and still want to control his access to SCC4, perhaps its not possible because whatever restriction u put in can be changed by this user.

For example lets say u have created a role based on SAP_ALL and SAP_NEW and removed tcode SCC4 and related objects from the role and assign it to user.

Now once u logon using the ID with that role he can go to PFCG and undo the changes u have done.

And adding to this there are more than one tcode which works the same way as PFCG but having different name and also there are many backdoors to move accross.

So in short what ever action u take to control that access can be undone by user with SAP_ALL and SAP_NEW...

Hope this helps

Manohar