Solved: Assigning ABAP reports to roles

Former Member · ‎03-12-2008

Hi All,

I have a problem here.

I am using ECC 5 here.

I want to assign a ABAP program with a variant to a role.

I tried it through PFCG -> Menu Tab-> and clicked on reports-> selected ABAP Report -> wrote report name and its variant.

It created a Y transaction.

Now i assigned the role and transaction to the user and he is able to execute the transaction. But the problem is he is also able to see and choose other variants too. I want to restrict that so that he cant see or choose any other variant.

I ran authorization trace and a few objects were checked.

I added those objects in su24 for check indicators.

I left those auth objects empty in the role.

but the user is still able to execute the transaction and also see and choose the variants.

I do not want to give any rights of SA38.

Kindly help me in this in restrcting the variant access

Thanks

Tajinder

Edited by: Tajinder Pal Singh on Mar 12, 2008 1:58 PM

former_member74904 · ‎03-12-2008

shouldn't checking the checkbox "skip selectionscreen" in the menutab for your Y transaction solve this issue?

former_member74904 · ‎03-12-2008

shouldn't checking the checkbox "skip selectionscreen" in the menutab for your Y transaction solve this issue?

Former Member · ‎03-12-2008

Hi Tajinder,

Have a look @ S_PROGRAM.

Though you have the report attached to TCODE its good you attach the report to Auth Group.

With the help of the auth group you control who runs the report in SE38 or SA38.

For variant modification, you can achieve that as well using auth group.

S_PROGRAM.,

User action ABAP program.,

SUBMIT - Start the program

BTCSUBMIT - Schedule the program to run as a BG job

VARIANT - Maintain variants (The SUBMIT authorization is necessary here as well, since programs are executed during variant maintenance)

Authorization group ABAP program

Value VARIANT will allow to maintain variants for only those programs in Auth Group.

Read the object documentation for more information.

Thanks.

Regards,

Muthu Kumaran KG

Former Member · ‎03-12-2008

Hi Dimitri,

No, because users has to to put some selection options too. So by skipping that it will not work.

Thanks

Tajinder

Former Member · ‎03-12-2008

Hi,

The problem is that i can not give access rights of SA38 to anyone.

As i understood, you want me to give write of SA38 and then permit only the program that the users needs.

I want to do it without SA38.

what other options can i take??

Thanks,

tajinder

jurjen_heeck · ‎03-12-2008

Maybe (I have no experience with this exact problem) you can look a a two-step approach:

Step 1: Create a transaction for the report as well as the necessary variant.

Step 2: Create a "variant transaction" for your new transaction and variant.

Assign the variant transaction to your user's role.

Hope this helps/works

Jurjen

Former Member · ‎03-12-2008

No dont give SA38.

1. Assign the report to Auth Group

2. Then it can be controlled for variants using S_PROGRAM using Auth Group Concept.

Thanks.

Note : Jurjen's option will also be good.

Regards,

Muthu Kumaran KG

former_member74904 · ‎03-12-2008

to my understanding, S_PROGRAM (VARIANT) controls whether a variant can be maintained or not.

I interpret Tajinder's question in the following way: that he doesn't want the user to execute the program with any other variant than the one he assigned to it?

Former Member · ‎03-12-2008

Interesting question.

Jurjen's suggestion could work I think. But you would need to hide the "Get variant" button... and I think Shift-F5 would then still work from the selection screen, as it is not skipped.

Note that the system only checks VARIANT as reports can also be submitted via their variants, if SUBMIT authority is not found. But SUBMIT does work on it's own as well! There is a few old posts here which discuss this alternate action value.

So... once the partly defined variant for the selection screen is set, would it not be sufficient to grant SUBMIT for the S_PROGRAM group and not grant VARIANT? Would that not prevent the user from changing variants from that report auth group when stopping in selection screens, where a screen variant is used to "grey out" those fields which are already determined by the variant?

Plan B: Create your own little report with a selection screen for the fields you want the user to select, and then hardcode the others and then SUBMIT REPORT <report_name> USING <the_parameters_for_the_selection_screen> AND RETURN.

Cheers,

Julius

Former Member · ‎03-12-2008

>


> to my understanding, S_PROGRAM (VARIANT) controls whether a variant can be maintained or not. 
> I interpret Tajinder's question in the following way: that he doesn't want the user to execute the program with any other variant than the one he assigned to it?

That is what I understood as well. Except, he additionally wants the variant definition to be incomplete, that is why it should stop in the selection screen... and not skip it.

Former Member · ‎03-12-2008

Hi All,

Yes, I want it as Dimitri said:-

I interpret Tajinder's question in the following way: that he doesn't want the user to execute the program with any other variant than the one he assigned to it?

And i want the selection screen too as mentioned by Julius

I think Jurjen's method can work. I will try that.

And Muthukumaran... please tell how can I assign report to a Auth group.

And in the role, there is only one auth object and that is s_tcode and that is for that Y transaction.

Even if i add more auth objects, it wont check them.

I am trying.

thanks to all for valuable suggestions and i think i need more

thanks

Tajinder

Former Member · ‎03-12-2008

If you add an auth group to the report using report RSCSAUTH, then it will check that auth group value so the role will need S_PROGRAM object as well. Try to only give it SUBMIT, and not VARIANT for the S_PROGRAM auth group you used. Maintain and set the variant using a different ID (like yours).

That might work.

Cheers,

Julius

Former Member · ‎03-12-2008

You can assign Auth as Julius mentioned.

For your Y tcode which is created automatically by SAP by default S_TCODE will be checked.

And add the object S_PROGRAM to the transaction in SU24.

Adding a new object to the transaction which is not in the list doesnt make the check happen unless otherwise the program is coded for authority-check.

I guess your report is Z so it can accomodate this authority check.

Given all this complications better you can go with Variant transaction.

Just to point again.,

Field Auth Group in S_PROGRAM works the same way like in S_TABU_DIS.

Thanks.

Regards,

Muthu Kumaran KG

Former Member · ‎03-15-2008

Hi All,

Thanks for your valuable inputs.

I assigned a auth group to the program and added s_program to the role's auth data and did not assign variant.

Its working good and the user is not able to see or choose variants.

Now i will deploy this in production

I am happy to award points to you

THANKS

tajinder

Former Member · ‎03-15-2008

Thank u all of u