10-13-2006 5:33 AM
Hi,
In SAP documentation, value of 'X' means the user is authorized to maintain client-independent tables. What if you grant asterisk(*) or input both 'X' and '' for the field?
I would assume full access will NOT grant the authorization to users to maintain client-independent tables.
Is anyone able to confirm this?
10-13-2006 12:35 PM
Hi Annie,
I can confirm that a full access would GIVE authorization to maintain client independent tables.
A * value would give access to Maintain the Cross client tables (Independent Tables)and i have done a test check with * to S_TABU_CLI and a test user and i am afraid your assumption is wrong..
Br,
Sri
10-13-2006 12:35 PM
Hi Annie,
I can confirm that a full access would GIVE authorization to maintain client independent tables.
A * value would give access to Maintain the Cross client tables (Independent Tables)and i have done a test check with * to S_TABU_CLI and a test user and i am afraid your assumption is wrong..
Br,
Sri
10-13-2006 6:34 PM
I would recommend giving 'X' and not *.
Technically, granting * means that you not only grant 'X', but infact you also grant '' or other hidden values which SAP_ALL users are deprived of discovering...
A * value for an authorization field will let all authority checks pass against the range of possible values in the authority-check statement.
The permitted value ranges can also have permitted data types and permitted values as can be seen in this example (SE11 -> Domain -> CLIIDMAINT -> Display -> Value range.) There are 2 standard CHAR values, 'X' and (explicit) =''. Theoretically you can extend these ranges, for example if you coded an authority check against S_TABU_CLI field CLIIMAINT = 'Y' and only wanted to grant 'Y' and not 'X' or ''.
Also note that S_TABU_CLI = 'X' check is just an upfront all or nothing check for access to maintain client independent "system" tables at all, <edit> you should still need authorizations for the auth-group </edit>. Depending on the transaction codes etc which you grant the user they should be guided into a table maintenance view, and S_TABU_DIS with appropriate activities and table-auth-groups would (normally) still be required and dependent on the authorizations which the user has in that specific client they are logged onto.
Message was edited by: Julius Bussche