Skip to Content
author's profile photo Former Member
Former Member

Value of CLIIDMAINT in auth object: S_TABU_CLI


In SAP documentation, value of 'X' means the user is authorized to maintain client-independent tables. What if you grant asterisk(*) or input both 'X' and '' for the field?

I would assume full access will NOT grant the authorization to users to maintain client-independent tables.

Is anyone able to confirm this?

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

2 Answers

  • Best Answer
    Posted on Oct 13, 2006 at 11:35 AM

    Hi Annie,

    I can confirm that a full access would GIVE authorization to maintain client independent tables.

    A * value would give access to Maintain the Cross client tables (Independent Tables)and i have done a test check with * to S_TABU_CLI and a test user and i am afraid your assumption is wrong..



    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Oct 13, 2006 at 05:34 PM

    I would recommend giving 'X' and not *.

    Technically, granting * means that you not only grant 'X', but infact you also grant '' or other hidden values which SAP_ALL users are deprived of discovering...

    A * value for an authorization field will let all authority checks pass against the range of possible values in the authority-check statement.

    The permitted value ranges can also have permitted data types and permitted values as can be seen in this example (SE11 -> Domain -> CLIIDMAINT -> Display -> Value range.) There are 2 standard CHAR values, 'X' and (explicit) =''. Theoretically you can extend these ranges, for example if you coded an authority check against S_TABU_CLI field CLIIMAINT = 'Y' and only wanted to grant 'Y' and not 'X' or ''.

    Also note that S_TABU_CLI = 'X' check is just an upfront all or nothing check for access to maintain client independent "system" tables at all, <edit> you should still need authorizations for the auth-group </edit>. Depending on the transaction codes etc which you grant the user they should be guided into a table maintenance view, and S_TABU_DIS with appropriate activities and table-auth-groups would (normally) still be required and dependent on the authorizations which the user has in that specific client they are logged onto.

    Message was edited by: Julius Bussche

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.