on 07-28-2008 3:46 PM
Hello, my dear friends!
New role Z_SAP_ALL was created for sap consultants working our company.
This role is equivalent of SAP_ALL without some basis functions. For example, without running transaction SU01.
Consultants would like to use the button "Other menu". I try to allow them to run PFCG and add to their personal menu more useful transaction. For that I added authorization S_USER_TCD to Z_SAP_ALL. But in PFCG the error "No authorization to add transaction <TCODE> to the role menu" occured. And the same text is in Su53
Authorization check failed
Object Class BC_A Basis: Administration
Authorization Obj. S_USER_TCD Authorizations: Transactions in Roles
Authorization Field TCD Transaction Code
SE16
User's Authorization Data Z_TSTADM
Object Class BC_A Basis: Administration
Authorization Object S_USER_TCD Authorizations: Transactions in Roles
Authorizat. T-ED98011400 Authorizations: Transactions in Roles
Profl. T-ED9801148 Profile for role Z_SAP_ALL_NOADMIN_3
Role Z_SAP_ALL_NOADMIN_3
Authorization Field TCD Transaction Code
PFCG
Thanks in advance!
Best regards,
Tonya
New role Z_SAP_ALL was created for sap consultants working our company.
This role is equivalent of SAP_ALL without some basis functions. For example, without running transaction SU01.
Even if you have excluded some tcode, users can still try some backdoor entries, like OOUS (transaction variants) for su01 ..
S_USER_TCD will allow the users to add only those tcodes to roles (in pfcg) which are present in S_USER_TCD.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
HI Tonya,
Check the Field values of Auth Object S_USER_TCD, and verfify that you have included all SE16
And if you want them to have access to add any transaction code in the role, then put * in there.
Regards,
Zaheer
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Of course if you put * in the S_USER_TCD value field, they will end up adding SU01 and PFGC, in which case the whole Z_SAP_ALL concept is invalidated...
Btw, did you also take out SU10, SE38, and SE37? More explicitly, are they prevented from running BAPI_USER_CREATE1 and BAPI_USER_PROFILES_ASSIGN, which enables them to create whatever user they want, even with SAP_ALL? Do they have these rights in another SAP system, which is tied to the productive system via RFC? And so on...
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.