03-17-2008 7:01 AM
hi
i to make a role for functionals except basis tcodes. for this i am going to make a role (zsample), copied sap_all profile, disable Basis Objects (BZ_A, BC_C, BC_Z) and assigned it to them.
can u tell me the procedure for disabling auth objects
regards
ramesh
Edited by: Ramesh Sammiti on Mar 17, 2008 8:17 AM
03-17-2008 7:32 AM
I would suggest that you disable Basis Tcodes instead of objects
In object S_TCODE use the "From and To "
e.g. to restrict all Tcodes from DB01 to DB20 use this:
From and To
0* - DB00
DB21 - Z*
To disable objects, simply click on the Deactivate option for that Object.
03-17-2008 9:33 AM
>
> I would suggest that you disable Basis Tcodes instead of objects
> In object S_TCODE use the "From and To "
That won't stop the user from being able to run the functions. Restricting the objects will make it much harder.
03-17-2008 7:59 AM
Hi Ramesh,
If you are 4.6c machine then you will find a profile with name SAP_ALL_DISPLAY and you need to take care of some S_* objects and K_* objects which have activities other than 03.
Other option is to restrict the BZ_A, BC_C, BC_Z class objects with only display activity.
There are many posts on this issue.
If you need further help then follow the link.
Rakesh
03-17-2008 9:07 AM
hi Rakesh
thank u for quick reply. i am junior guy. please tell me the procedure for restrict the object(BC_A, BC_C....) to display
regards
Ramesh
03-17-2008 9:38 AM
Hi Ramesh,
BC_C, BC_Z are basis classes in which you will find many basis objects like S_USER_AGR(needed for role check), i dont suggest you to disable the entire class. Because some of the objects are needed for users for normal operations like display.
So what you can do is
1. Decide which tcodes you want to assign to the role annd restrict on tcode level itself, i.e restricting the activity to 03 in pfcg for related objects.
2. Give SAP_ALL to the user and make sure you restrict each object of class BC_C, BC_Z on their activity.
You can find many posts on these topics.Do an intense search.
logging off....
Rakesh
03-17-2008 9:50 AM
>
> 2. Give SAP_ALL to the user and make sure you restrict each object of class BC_C, BC_Z on their activity.
Hi Rakesh,
I think you mean a copy of SAP_ALL rather than modifying the actual SAP_ALL profile
03-17-2008 2:02 PM
Yes Alex i mean copy of SAP_ALL and restrict it only to display.
Ramesh other option with you to make a list of all the Tcodes and related objects(tcode related objects can be obtained from su22 or su24) needed by the funtional team and create a matrix out of it.
Eg:
Transactions
Unique Auth Object
Authorization Fld
Authorization Value Low
Authorization Value High
This is manual job and takes time. But by maintaining a matrix you will get the job done perfectly, and you can impose restriction in an effective way.
Rakesh
03-17-2008 5:07 PM
Hi Ramesh,
Go to the role in change mode (transaction PFCG).
Under the 'Authorizations' tab, under 'Maintain Authorization Data and Generate Profiles' go to 'Change Authorization Data'.
In the profile, whichever authorization object you want to deactivate, click on the small rectangle icon (with a small red rectangle on the side) just besides the authorization object name. This will cause the authorization object to be inactive.
-Neha