Function group authorizations.

Former Member · ‎07-25-2008

How do you allocate an authorization for a particular function group? How do you find an existing role that has this authorization?

I do BASIS at a small site without a security person and bumble through security.

Recently I have encountered a number of notes advising me to allocate specific function group authorizations. I'm completely stumped as to how to do this and the notes give no hints at all. I can't seem to find anything in SUIM or PFCG that helps me.

Any assistance greatly appreciated!

Former Member · ‎07-25-2008

Hi,

Please do a search for the field FUGR thru SUIM.

Regards,

Srihari

Former Member · ‎07-25-2008

You need to provide the object S_DEVELOP with OBJTYPE = FUGR, OBJNAME = 'name_of_the_function_group', ACTVT = 16 (execute). This is what is needed to execute functions within that particular group.

To check which function group a specific function resides within, display the function using SE37, select Goto->Main Program from menu, then Goto->Attributes.

Quick tip: use ST01 to activate an authorization trace, then execute whatever functionality you want to restrict authorizations on. Analyzing the resulting trace will give a decent idea of the objects that are involved, and which values you need to set.

Regards,

Trond

Edited by: Trond Stroemme on Jul 25, 2008 9:28 AM

Former Member · ‎07-25-2008

>

> You need to provide the object S_DEVELOP with OBJTYPE = FUGR, OBJNAME = 'name_of_the_function_group', ACTVT = 16 (execute). This is what is needed to execute functions within that particular group.

That would be for "single testing" - see SAP note 587410.

For RFC itself, the object is S_RFC with the function group name (RFC_TYPE = 'FUGR'). From release 7.10 onward, you can also control at the level of the function module name (RFC_TYPE = 'FUNC').

Depending on your config, these checks may or may not occur.

Cheers,

Julius