07-25-2008 2:38 AM
How do you allocate an authorization for a particular function group? How do you find an existing role that has this authorization?
I do BASIS at a small site without a security person and bumble through security.
Recently I have encountered a number of notes advising me to allocate specific function group authorizations. I'm completely stumped as to how to do this and the notes give no hints at all. I can't seem to find anything in SUIM or PFCG that helps me.
Any assistance greatly appreciated!
07-25-2008 6:45 AM
07-25-2008 8:22 AM
You need to provide the object S_DEVELOP with OBJTYPE = FUGR, OBJNAME = 'name_of_the_function_group', ACTVT = 16 (execute). This is what is needed to execute functions within that particular group.
To check which function group a specific function resides within, display the function using SE37, select Goto->Main Program from menu, then Goto->Attributes.
Quick tip: use ST01 to activate an authorization trace, then execute whatever functionality you want to restrict authorizations on. Analyzing the resulting trace will give a decent idea of the objects that are involved, and which values you need to set.
Regards,
Trond
Edited by: Trond Stroemme on Jul 25, 2008 9:28 AM
07-25-2008 9:03 AM
>
> You need to provide the object S_DEVELOP with OBJTYPE = FUGR, OBJNAME = 'name_of_the_function_group', ACTVT = 16 (execute). This is what is needed to execute functions within that particular group.
That would be for "single testing" - see SAP note 587410.
For RFC itself, the object is S_RFC with the function group name (RFC_TYPE = 'FUGR'). From release 7.10 onward, you can also control at the level of the function module name (RFC_TYPE = 'FUNC').
Depending on your config, these checks may or may not occur.
Cheers,
Julius