06-15-2007 5:48 AM
hi
the user have SAP_ALL and SAP_NEW profile.
but i want to block particular client in scc4.
i mean they not able to edit the client
how to do ?
need help
Message was edited by:
Lee green
06-15-2007 7:05 AM
First create a z role in PFCG
Go to Authorization tab -> click on change authorization tab -> do not select any of the templates
Next click on the menu item Edit -> insert authorizations-> from profile
Enter SAP_ALL
This will insert the authorization object corresponding to SAP_ALL profile
Repeat the same procedure for the profile SAP_NEW
Next step is to find the authorization object corresponding to transaction SCC4 using tc SU22
Inactivate the authorization object corresponding to SCC4 in PFCG.
I think this might work but it is a long and tedious process
Regards,
Sowmya
06-15-2007 5:55 AM
Hi,
I think you need to create a Z role in <b>PFCG</b> which blocks the access of transaction code <b>SCC4</b> and then assign this role to the users.
Regards,
Sowmya
06-15-2007 5:57 AM
06-15-2007 6:37 AM
Hi Lee,
It is impossible, even if you block the access to the transaction to SCC4 through other role, they will get the authorization from SAP_ALL profile.SAP also doesnot recommend to give SAP_ALL and SAP_NEW to the users.First remove these profiles from the users and give them a new set of roles based on their functionality.
Regards,
Bharath
06-15-2007 7:59 AM
Simply do not give SAP_ALL to anyone, only use roles created with PFCG!!!
06-15-2007 7:05 AM
First create a z role in PFCG
Go to Authorization tab -> click on change authorization tab -> do not select any of the templates
Next click on the menu item Edit -> insert authorizations-> from profile
Enter SAP_ALL
This will insert the authorization object corresponding to SAP_ALL profile
Repeat the same procedure for the profile SAP_NEW
Next step is to find the authorization object corresponding to transaction SCC4 using tc SU22
Inactivate the authorization object corresponding to SCC4 in PFCG.
I think this might work but it is a long and tedious process
Regards,
Sowmya
06-15-2007 6:34 PM
Hi,
If you want to give access to SAP_ALL and SAP_NEW and still want to control his access to SCC4, perhaps its not possible because whatever restriction u put in can be changed by this user.
For example lets say u have created a role based on SAP_ALL and SAP_NEW and removed tcode SCC4 and related objects from the role and assign it to user.
Now once u logon using the ID with that role he can go to PFCG and undo the changes u have done.
And adding to this there are more than one tcode which works the same way as PFCG but having different name and also there are many backdoors to move accross.
So in short what ever action u take to control that access can be undone by user with SAP_ALL and SAP_NEW...
Hope this helps
Manohar