Dear Aneha,
When you want to Block a particular user while allowing another user for a transaction code, then you have to create two different Roles ( this you can do in T-code PFCG). Say Role A and Role B.
In Role A - assign Transaction code and specify the auth level i.e. Edit, display etc etc.
In Role B - DO NOT assign the T-code you wish to block or allow.
Finally assign the Role A to the user you want to Authorise, and Assign Role B to User you want to Block.
The Detail process for creation of role is given below:
Procedure for creating roles
These instructions describe the procedure for creating single roles. The instructions refer to editing an role using Basic maintenance in transaction PFCG.
Step 1
· Create the role
Step 2
· On the tab Description, describe the functions the role is to include
Step 3
· Assign transactions to the role on the Menu tab.
o You can do this by specifying the transactions directly.
o Otherwise you can assign menu branches from the SAP menu.
· The menu options selected in this step are displayed in the Session Manager and on the "SAP Easy Access" logon screen for all the users who are assigned to the role; this is the User menu.
Step 4
· In the tab Authorizations choose Change authorization data.
· Depending on the transactions you have chosen, the system may display a dialog box that asks you to maintain the Organizational levels. These are authorization fields that occur in several authorizations at the same time and which can be maintained together. An example is the company code, which occurs in several authorization objects. When you assign values to the organizational levels, you maintain the authorization fields for all authorizations in the tree display that is displayed at the same time.
· The system displays a tree display for all authorizations that are proposed by SAP for the chosen transactions. The authorizations already have some values.
o You have to manually process the authorization values wherever you see a yellow traffic light in the tree display. You enter these values by clicking on a white line next to the name of the authorization field. Once you have maintained the values, the authorizations are regarded as being manually modified and are not overwritten if you include additional transactions and reprocess the authorizations. By clicking on the traffic light, you can assign full authorization for the hierarchy level for all unmaintained fields.
o Wherever there are red traffic lights, there are organizational levels that do not yet have values. You can enter and change these values by choosingOrg. levels....
o If you want additional functions in the tree display, such as to copy or summarize authorizations, you can add additional functions by choosing Utilities -> Settings.
o Generate an authorization profiles for the authorizations, To do this, choose Generate or Authorizations -> Generate.
o The system asks you to assign a name for the authorization profile that now exists. The default is a valid name that is already in the customer namespace.
o Exit the tree display once the profile is generated.
o With changes to the menu selection and redisplaying the menu display for the authorizations, the system tries to mix the new transactions in with the existing authorizations. This may mean that the stoplights are switched to yellow, as new incomplete authorizations appear in the tree display. You assign these with values manually, or delete them if necessary.
o You can delete an authorization by deactivating it. You can then delete it.
o General authorizations such as spool display and print are not generally stored with transactions. For this purpose there are authorization templates that you can add to the existing data. To do this, choose Edit -> Insert authorizations -> From template... and choose one of the templates (for example SAP_USER_B Basis authorization for application users or SAP_PRINT Print authorization). Alternatively, you can create a separate activity group for these general authorizations whereby the overview is much more clear.
Step 5
· On the Users tab, assign the users to the role.
o The system displays the menu options for the role in the Session Manager as the user menu for the users assigned.
o Otherwise, the generated authorization profiles are automatically entered in the user master records if the User master record comparison was executed. To do this, choose Compare users in the tab Users and choose Complete comparison.
o If you do not restrict the period of the assignments and use the default period (current date to 31.12.9999) then no further action is necessary. If you make any other time restrictions, then you should schedule report PFCG_TIME_DEPENDENCY to run periodically. This updates the user master record comparison automatically. You must therefore schedule the report when you use Organization Management, although this is not discussed in these short instructions.
o It is very important that you never enter the generated authorization profiles directly in the user master records, as is the case with authorization profiles that were created manually. A link from the generated profiles to users can only happen if users have been assigned to the link and if you have then compared the user master records. This comparison enters the role profiles for all users in the role.
Step 6
· If you want to transport the role into an additional system, you must enter the role in a transport request.
1.To do this choose Role -> Transport. You can now specify whether or not the user assignment should also be transported.
2.The authorization profiles are transported unless you have explicitly specified that you do not want to transport the profiles.
3. After the import into the target system, you have to compare the user masters for the imported roles again. You can trigger this comparison manually or use report PFCG_TIME_DEPENDENCY to execute it automatically, but only if this report is scheduled to run periodically in the target system.
Reward points if useful
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.