10-15-2015 5:42 PM
Hi,
We are working on tightening our authorizations on business partners.
We have introduced the B_BUPA_FDG, so on field group.
Also field groups have been added to customizing (define field group for authorizations).
In authorization trace we see that user is NOT authorized for field group, but still in this case the address can be changed.
User has display authorization for field group, but not change authorization.
Are we overlooking something?
Regards,
Walter van Veen
10-16-2015 8:14 AM
10-16-2015 3:24 PM
Hi,
did you working in CRM? Which system version? GUI or Web UI?
I remember that there was some issue with Web UI.
10-16-2015 5:13 PM
10-16-2015 5:42 PM
Hi,
please set a BREAK-POINT in FM shown below to find out what's going wrong.
10-19-2015 12:49 PM
Hello Michael,
This FM is not touched.
The stack shows that: SCREEN_TEST_VISIBILITY and BUS_FMOD_FIELDS_DISP is touched.
With the last module the check on fieldgroup is executed.
Regards,
Walter
10-19-2015 1:06 PM
Hi,
please check OSS-Note http://service.sap.com/sap/support/notes/2106594
10-21-2015 12:06 PM
Hi,
The SAP note does not work, I am in change mode, not create mode.
Maybe I am overlooking something.
10-21-2015 12:21 PM
Hi, verify table TBZ3W columns OBLIND and X_CUSTAUS. Maybe this will be helpful.
10-21-2015 3:36 PM
Hi, with lot's of debugging I found out that it has to do with the EEW (Easy Enhancement Workbench). The generated code by EEW, does not set fields etc. to display.
Does the generated code from EEW also looks into the TBZ3W settings?
10-23-2015 10:42 AM
10-16-2015 4:28 PM
Walter,
In adding to Michael's comments, please let us know which tcode(s) you're utilizing this auth object with. Our company uses ICWeb which can be a bear to troubleshoot ICWeb auth failures. If you're also using ICWeb, creating a trace (ST01) for all auth object checks, RFC calls, and HTTP calls will help (i.e. log one user from time of login to auth failure). If there's no auth failure when the user attempts the task, look at the trace data at the time of login (when their user master buffer is loaded).
To help dissect trace data in CRM, I've found reviewing the UI_COMP components in table CRMC_UI_COMP_IP (Inbound Plug Definition), to be invaluable to understanding trace failures and components within a security role that allows this access. I've also found that by adding a menu button (for example Contract Management), allows change access even though all security auth objects are set to display only (i.e. there might be a RFC or program being called, or configuration that's allowing change access).
Any who, hopefully this info helps.
Cheers,
Greg
10-16-2015 5:14 PM
10-16-2015 5:12 PM