cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

authorizations for PFCG

Former Member

on ‎07-28-2008 3:46 PM

0 Kudos

Hello, my dear friends!

New role Z_SAP_ALL was created for sap consultants working our company.

This role is equivalent of SAP_ALL without some basis functions. For example, without running transaction SU01.

Consultants would like to use the button "Other menu". I try to allow them to run PFCG and add to their personal menu more useful transaction. For that I added authorization S_USER_TCD to Z_SAP_ALL. But in PFCG the error "No authorization to add transaction <TCODE> to the role menu" occured. And the same text is in Su53

Authorization check failed

Object Class BC_A Basis: Administration

Authorization Obj. S_USER_TCD Authorizations: Transactions in Roles

Authorization Field TCD Transaction Code

SE16

User's Authorization Data Z_TSTADM

Object Class BC_A Basis: Administration

Authorization Object S_USER_TCD Authorizations: Transactions in Roles

Authorizat. T-ED98011400 Authorizations: Transactions in Roles

Profl. T-ED9801148 Profile for role Z_SAP_ALL_NOADMIN_3

Role Z_SAP_ALL_NOADMIN_3

Authorization Field TCD Transaction Code

PFCG

Thanks in advance!

Best regards,

Tonya

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

former_member1061482
Participant
‎07-30-2008 5:04 PM
0 Kudos 
New role Z_SAP_ALL was created for sap consultants working our company. 
This role is equivalent of SAP_ALL without some basis functions. For example, without running transaction SU01.

Even if you have excluded some tcode, users can still try some backdoor entries, like OOUS (transaction variants) for su01 ..

S_USER_TCD will allow the users to add only those tcodes to roles (in pfcg) which are present in S_USER_TCD.

Show replies
Show replies
Former Member
‎07-28-2008 4:26 PM
0 Kudos

HI Tonya,

Check the Field values of Auth Object S_USER_TCD, and verfify that you have included all SE16

And if you want them to have access to add any transaction code in the role, then put * in there.

Regards,

Zaheer

Show replies
Show replies
Former Member
‎07-30-2008 1:04 PM
0 Kudos

Of course if you put * in the S_USER_TCD value field, they will end up adding SU01 and PFGC, in which case the whole Z_SAP_ALL concept is invalidated...

Btw, did you also take out SU10, SE38, and SE37? More explicitly, are they prevented from running BAPI_USER_CREATE1 and BAPI_USER_PROFILES_ASSIGN, which enables them to create whatever user they want, even with SAP_ALL? Do they have these rights in another SAP system, which is tied to the productive system via RFC? And so on...

Ask a Question