disable the authorization object

Former Member · ‎03-17-2008

hi

i to make a role for functionals except basis tcodes. for this i am going to make a role (zsample), copied sap_all profile, disable Basis Objects (BZ_A, BC_C, BC_Z) and assigned it to them.

can u tell me the procedure for disabling auth objects

regards

ramesh

Edited by: Ramesh Sammiti on Mar 17, 2008 8:17 AM

former_member759680 · ‎03-17-2008

I would suggest that you disable Basis Tcodes instead of objects

In object S_TCODE use the "From and To "

e.g. to restrict all Tcodes from DB01 to DB20 use this:

From and To

0* - DB00

DB21 - Z*

To disable objects, simply click on the Deactivate option for that Object.

Former Member · ‎03-17-2008

>

> I would suggest that you disable Basis Tcodes instead of objects

> In object S_TCODE use the "From and To "

That won't stop the user from being able to run the functions. Restricting the objects will make it much harder.

Former Member · ‎03-17-2008

Hi Ramesh,

If you are 4.6c machine then you will find a profile with name SAP_ALL_DISPLAY and you need to take care of some S_* objects and K_* objects which have activities other than 03.

Other option is to restrict the BZ_A, BC_C, BC_Z class objects with only display activity.

There are many posts on this issue.

If you need further help then follow the link.

Rakesh

Former Member · ‎03-17-2008

hi Rakesh

thank u for quick reply. i am junior guy. please tell me the procedure for restrict the object(BC_A, BC_C....) to display

regards

Ramesh

Former Member · ‎03-17-2008

Hi Ramesh,

BC_C, BC_Z are basis classes in which you will find many basis objects like S_USER_AGR(needed for role check), i dont suggest you to disable the entire class. Because some of the objects are needed for users for normal operations like display.

So what you can do is

1. Decide which tcodes you want to assign to the role annd restrict on tcode level itself, i.e restricting the activity to 03 in pfcg for related objects.

2. Give SAP_ALL to the user and make sure you restrict each object of class BC_C, BC_Z on their activity.

You can find many posts on these topics.Do an intense search.

logging off....

Rakesh

Former Member · ‎03-17-2008

>

> 2. Give SAP_ALL to the user and make sure you restrict each object of class BC_C, BC_Z on their activity.

Hi Rakesh,

I think you mean a copy of SAP_ALL rather than modifying the actual SAP_ALL profile

Former Member · ‎03-17-2008

Yes Alex i mean copy of SAP_ALL and restrict it only to display.

Ramesh other option with you to make a list of all the Tcodes and related objects(tcode related objects can be obtained from su22 or su24) needed by the funtional team and create a matrix out of it.

Eg:

Transactions

Unique Auth Object

Authorization Fld

Authorization Value Low

Authorization Value High

This is manual job and takes time. But by maintaining a matrix you will get the job done perfectly, and you can impose restriction in an effective way.

Rakesh

Former Member · ‎03-17-2008

Hi Ramesh,

Go to the role in change mode (transaction PFCG).

Under the 'Authorizations' tab, under 'Maintain Authorization Data and Generate Profiles' go to 'Change Authorization Data'.

In the profile, whichever authorization object you want to deactivate, click on the small rectangle icon (with a small red rectangle on the side) just besides the authorization object name. This will cause the authorization object to be inactive.

-Neha