Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Assigning transactions to a user

Former Member

‎05-19-2008 1:54 PM

0 Kudos

Hi All,

I want to assign 5 transactions to a user where, for 2 transactions the user should have a display option only and for the rest of the transaction he should have the full authorization.

I know the basics of creating user (su01) and roles (pfcg ), which contain auth. objects followed by profile generation. But in this scenario how can I proceed. Need your help.

Regards

Rajesh

9 REPLIES 9

Bernhard_SAP
Employee
Employee

‎05-19-2008 2:02 PM

0 Kudos

Hi Rajesh,if those 5 transactions use the same authroizationobject to verify the allowed activity, then you have no chance.

Only if the display transactions and the full-aut.-transactions use different authorziation objects to verify the allowed activity, you are able to devide the allowed activites.

The authority-check in the Kernel simply searches for authorizations one by one, and does not care, for which transaction. so you need either different objects or additional objects.

b.rgds, Bernhard

Former Member

‎05-19-2008 5:14 PM

0 Kudos

Hi Rajesh - Bernhard thought sounds good to me...

Just to add, if you dont have too many roles on your system..how about going two roles in your scenario..for second role assign tcodes and change the activities only to display...

See if it works for you..

Thanks!

Former Member

‎05-19-2008 11:49 PM

0 Kudos

Of course it does depend on which transactions these 5 transactions are.

Some tcodes are display only regardless of the access for a specific object checked by the 5 transactions.

However I agree with the others: the transaction code is not that important (other than it's context for pulling in the authorizations required to actually use the 1 of 5 transactions into the role via SU24 or "case sensitive" for a program based on the transaction context (system field sy-tcode)). Many usefull transactions in SAP care about the authorization object' activity type field values and other application object fields, and most will let you switch to change mode from the display transaction if you have change access - regardless of the transaction (S_TCODE) but sometimes checking other TCD related field ID's.

Reporting tcodes are often different though: these have the same core checks but other options and objects.

Both transaction and reporting tcodes often have customizing dependencies as well, so you do not gave to use authorization objects always.

Rather complicated actually... as are the menus of the transactions from a security perspective....

Which 5 transaction codes were you specifically asking about?

Cheers,

Julius

Former Member

‎05-20-2008 5:47 AM

0 Kudos

Hi,

I want to give the following transactions: sm37, rz01, st22, sm21, sm13 out of which I want to give the last

3 transactions only for display mode. As u said I can go for 2 roles in this case.

So, just tell me where can I find the display options or any other options that I want to assign to these role.

Regards,

Rajesh.

Former Member
In response to Former Member

‎05-20-2008 6:25 AM

0 Kudos

Hi Rajesh,

You can set the display mode for the tcodes st22, sm21, sm13 as the objects are diff for them, but check them once. If su24 is maintained you can see the related objects for the tcodes, if objects are added manually then use the where used list button in authorization tab to know the tcodes for the objects.

(you can also check the objects for the tcodes by authority check programs)

For setting display mode to tcodes

Go to->pfcg->authorization tabs->open the tree->check where used list for objects and then set the activity to 03 in edit mode for those objects which use the tcodes.

Rakesh

Former Member
In response to Former Member

‎05-20-2008 8:35 AM

0 Kudos

In addition to S_DEVELOP, you will need to be carefull with S_ADMI_FCD to achieve this. Values such as PADM and SP02 come to mind.

As the user already has strong access via SM37, you should concentrate on the objects without caring too much how the user gets there.

I dont think 2 roles will be helpfull in any way either. As Bernhard already stated, the system looks to see whether the authorization check was successfull; it does not care which role the authorization is coming from.

Cheers,

Julius

Former Member

‎05-20-2008 7:49 AM

0 Kudos

Hi Rakesh ,

How can I set the activity to display mode only. Can you explain the things in brief . I had created 2 roles.

In one role I had given full authorization and in another I want to give the other options like display, how can i do that.

Regards,

Rajesh

Former Member
In response to Former Member

‎05-20-2008 8:00 AM

0 Kudos

Hi,

Check the following objects in PFCG authorizations tab,

S_DEVELOP and S_ALV_LAYO in these authorizations objects contains fild activity. Assign the value 03(display) to this field.

Siva

Former Member
In response to Former Member

‎05-20-2008 8:04 AM

0 Kudos

Thats right!!

But Rajesh make sure that the object which you are setting the activity 03 is for the correct tcode, where used list will help you.

Rakesh