Hello Tamas,

thanks for your quick response;

I think, that the user can use a IE02 flavor only he have also the IE02 transaction authorization, correct?

with this authorizations, the user can also start the normal IE02 (within SAPgui for Windows) after normal logon;

exactly this - start of normal IE02 - should not be possible for this user group;

Idea is:

- add authorization for “only-Personas-IE02” to IE02 authorization role (or creation of a new Personas-IE02 role for this);

this is only necessary to distinguish between "normal-IE02" and "Personas-IE02" user; for some user both is allowed

- set global variable “Personas_call” (in function group) when starting IE02 flavor

- create implizite enhancement point (after start of IE02) and check: IF NOT “Personas_call“ AND “only-Personas-IE02” authorization,THEN exit IE02;

what do you think about this idea?

You cannot prevent the user from logging on via the SAP GUI instead of the browser (if that's what you're looking for), but you could prevent them from accessing the Original Screen via authorization settings. You have to create a custom role that only permits the runtime authorization of using flavors and nothing else, and assign the simplified IE02 flavor to them as their default.

There is no standard solution yet to determine whether the user is logged on via a Personas or a SAP GUI session. However, a Personas script can determine whether the original screen or a flavor is active, using session.info.flavorId. This will be blank in case of the Original Screen.