Switching to CAA3 from ES62

Former Member · ‎09-08-2016

Hello Experts,

I have come across a situation wherein after launching ES62 -> Environment-> Data , we can see Contract accounts(CAA3), how could we restrict it?

Regards

Piyush

Former Member · ‎09-09-2016

Hey Piyush,

You can try to restrict the contracts by authorization objects of the role, and also check if don´t exist object superposition.

Regards

Former Member · ‎09-12-2016

Hello Cristiano,

I tried tracing the user but unfortunately didn't find any authorization object which I could restrict. Could you please look into it? Also, could you please enlighten on object superposition.

Regards

Piyush

Former Member · ‎09-12-2016

Hello Piyush,

Did you find some roles in the SUIM typing the transaction ES62? So you have to see the activity of these objects and the contract field in all roles because if you have a activity with * in a role and in another role you have the same object with activity 3, in the end you have the object with activity *, 3 with access to the contracts of those roles.

Regards

Former Member · ‎09-12-2016

Hello Cristiano,

I am not sure which Auth. object I need to look into because as I mentioned I didn't find any auth. object which I could restrict to prevent switching from ES62 to CAA3

regards

Piyush

Former Member · ‎09-12-2016

Did you used this transaction to search S_BCE_68001425/ selection by assigned transactions in menu?

Former Member · ‎09-12-2016

I used SUIM and then "Role" >> By Transaction "ES62". I could find several role including this transaction. I am sure I am somewhere mistaking from what you are are trying to suggest. I am not certain how to find out the Auth. code which I need to restrict. Also, if I use the transaction you suggested, it takes me to Role by complex selection criteria. What details do I need to fill there?

Piyush

Former Member · ‎09-12-2016

Following the stpes bellow you will see the autorization objects. And now youu have to search the auth code of the contract CAA3. Expand the subtree until find the auth obj.

Example:

Former Member · ‎09-14-2016

Hello Cristiano,

Here is what I tried:

1) Tcode S_BCE_68001425

2) Entered Role and Using Profile Assignment tab, looked into all the profiles.

3) Found two Autho. object related to contract account as:

E_Contract

&

F_KKKO_BUK

4) Tried removing the access to both Auth. Objects also tried disabling both Auth. Objects, still didnt work. Still able to CAA3 within ES62

Regards

Piyush

Former Member · ‎09-14-2016

Hello,

Great!

So now in the same transaction you can search selection according authorizations values.

Type the objects and entry values, will show you the roles that have those objects.

After this you check the configuration of those objects in the roles.

But I don´t think those objects have the contract account, so you can check on SUIM - authorizations objects - auth by comple criteria - auth.object text and search by contrac* and then you see if some object have the contract account.

regards

Former Member · ‎09-15-2016

Hello Cristiano,

I tried suggested steps, and I found below screen.

However when I went to respective role, I didn't find this Authorization object. Not sure from here. Please help

**To add, I tried finding out all the role with : ES62-> F_KKVK_FDG -> ACTVT: * in S_BCE_68001425 t-code

I found several roles. But does that give any clue for me? How could a value of any field related to a different role?

Please suggest.

Regards

Piyush

Former Member · ‎09-15-2016

Hey

You must search the role with : ES62-> F_KKVK_FDG -> FLDGR_FICA: CAA3 and ACTVT: * in S_BCE_68001425 t-code,

Or you can search all users role with CAA3 or * object field that contains contract text.

So this way you will find the authorization object that allow access to se CAA3 contracts acount.

Regards

Former Member · ‎10-03-2016

Hello Cristiano,

Thanks for the reply. I tried with below options this time:

And found several roles. However not the one where I need to restrict CAA3. Also, please correct me, I believe if the concerned role doesn't have this Authorization Object F_KKVK_FDG or Authorization field FLDGR_FICA, it won't be affected by any other role? Please suggest

Regards

Piyush

Former Member · ‎10-03-2016

Hey,

Why don´t you use the ST01 to trace and check the object ?

Former Member · ‎10-03-2016

Hello Cristiano,

That was my first attempt to try ST01 and unfortunately I didn't find any object to restrict while switching to CAA3 from ES62.

Is there any way, I can try restricting it in S_TCODE?

Regards

Piyush

Rajesh_Naik · ‎10-04-2016

Hi Piyush,

This looks like an internal call.

1. Could you please trace it again, and look out for objects like P_TCODE or I_TCODE. These objects are responsible for authorization checks on internal calls of transactions.

2. Check the existing value provided in this object as of now in the role.

Thanks,

Rajesh

Former Member · ‎10-05-2016

Hello Rajesh,

Thanks for looking into this.

1) I performed trace and didn't find these two objects anywhere while switching to CAA3 from ES62

however I did find I_TCODE in the Authorization tab in Role where I see Tcodes: IE03, IQ03 and IQ09. What can I do in this case?

2) As mentioned above.

please suggest.

Regards

Piyush