Skip to Content
author's profile photo
Former Member

role maintenance

Hi there,

I am doing role maintenance and have deleted the menus and maintained all the authorisations which are green but the authorisation and menu tab are still showing red even after saving the role. Can somebody have any inputs if this role would still work and what should I do to make them green

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

4 Answers

  • Posted on Sep 25, 2007 at 07:39 PM

    Hi,

    Easiest way to test if it works is to assign it to a user & try it yourself!

    Why have you deleted the menu's? this is where you maintain the transactions for the role. This in turn will pull through the relevant authorisation objects to run the transactions with the appropriate gaps which you need to populate to meet your restriction requirements.

    If the role has generated then it will give the access that is contained in the authorisations for that role. If you have object fields in the auth tab unpopulated then it is likely that you will come across auth checks that will fail when the role is used.

    If any of your objects in that tab are highlighted in red then it is missing an org level value (maintained in the org levels popup). If they are yellow then you are missing field value/s which may or may not need populating depending on what transactions they are and what auth checks the code evaluates.

    Most importantly, find yourself a copy of "authorizations made easy" & learn it all before you break any roles

    Add comment
    10|10000 characters needed characters exceeded

  • author's profile photo
    Former Member
    Posted on Sep 25, 2007 at 07:54 PM

    The menu tab will always show red if you have deleted all of the tcodes from the menu section. For the auth tab, it will show yellow if you have saved but not generated the role. It would be red only if you had some org values that are not maintained - otherwise they would be yellow.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Based on your questions I totally agree with Julie Nguyen.

      Based on your thread I think you just want to hide the transaction from the menu. Btw, this can be done. Let me know if this is the case and I can post explicit instructions.

  • author's profile photo
    Former Member
    Posted on Sep 26, 2007 at 03:26 AM

    Rather than deleting the menu's from the role... I believe (and dont have the steps on hand) you can hide the role menu's from showing when the user logs into the system. Might be something like below:

    Hide the User Menu

    November 25th, 2005

    To put it simple, when the user logs on to the system he should have only the SAP Standard Menu.

    Default hide for all the SAP users.

    Goto SM30 and edit the table

    SSM_CUST

    and set

    ALL_USER_MENUS_OFF = YES

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi,

      If you only want the sap default menu, do as the previous answere. If you want in a role a transaction that will not appear in the user menu, then use the tab authorization default in the men tab. The user will not see that transaction, but can execute it knowing the transaction code.

      What you did deleting the menu in the role is deleting all transactions. If you did not generate the profiles again, the old profiles must be still there. So this is very dangerous. Using the profile generator always generate the profiles after changing the role.

      Have fun

      Jan van Roest

  • Posted on Sep 27, 2007 at 05:33 PM

    rookie, hiding the transactions that users can see is nothing more than security by obscurity and as a result pretty worthless. It's important to make that distinction when people ask to hide transactions from a user. It is very, very simple for someone to see what real transactions that can run.

    Obviously that is very different than wanting users to use the standard menu for the sake of training/consistency.

    Add comment
    10|10000 characters needed characters exceeded