- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- Value of CLIIDMAINT in auth object: S_TABU_CLI
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Value of CLIIDMAINT in auth object: S_TABU_CLI
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-13-2006 5:33 AM
Hi,
In SAP documentation, value of 'X' means the user is authorized to maintain client-independent tables. What if you grant asterisk(*) or input both 'X' and '' for the field?
I would assume full access will NOT grant the authorization to users to maintain client-independent tables.
Is anyone able to confirm this?
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-13-2006 12:35 PM
Hi Annie,
I can confirm that a full access would GIVE authorization to maintain client independent tables.
A * value would give access to Maintain the Cross client tables (Independent Tables)and i have done a test check with * to S_TABU_CLI and a test user and i am afraid your assumption is wrong..
Br,
Sri
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-13-2006 12:35 PM
Hi Annie,
I can confirm that a full access would GIVE authorization to maintain client independent tables.
A * value would give access to Maintain the Cross client tables (Independent Tables)and i have done a test check with * to S_TABU_CLI and a test user and i am afraid your assumption is wrong..
Br,
Sri
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-13-2006 6:34 PM
I would recommend giving 'X' and not *.
Technically, granting * means that you not only grant 'X', but infact you also grant '' or other hidden values which SAP_ALL users are deprived of discovering...
A * value for an authorization field will let all authority checks pass against the range of possible values in the authority-check statement.
The permitted value ranges can also have permitted data types and permitted values as can be seen in this example (SE11 -> Domain -> CLIIDMAINT -> Display -> Value range.) There are 2 standard CHAR values, 'X' and (explicit) =''. Theoretically you can extend these ranges, for example if you coded an authority check against S_TABU_CLI field CLIIMAINT = 'Y' and only wanted to grant 'Y' and not 'X' or ''.
Also note that S_TABU_CLI = 'X' check is just an upfront all or nothing check for access to maintain client independent "system" tables at all, <edit> you should still need authorizations for the auth-group </edit>. Depending on the transaction codes etc which you grant the user they should be guided into a table maintenance view, and S_TABU_DIS with appropriate activities and table-auth-groups would (normally) still be required and dependent on the authorizations which the user has in that specific client they are logged onto.
Message was edited by: Julius Bussche
- SAP Managed Tags:
- Security
