hi alex,

i didnt get the perfect picture about how to identify the object name which makes actual effect like for example in pfcg when i give tcode su01 then in profile generator it generates 5 objects like (s_user_agr, s_user_aut,s_user_grp,s_user_pro,s_user_sas) right. then if i want to restrict that role to access change activity then in which object i hav to maintain this activity or i hav to maintain this thing in all objects related to it, thats my main problem which i want to ask!

thanks

jimmy.

Just modify s_user_agr.

s_user_agr: Activity & Role name

-Pinkle

thanks for reply Pinkle, but my ques is from where we identify that particular object we hav to modify like in su01 we hav to maintain s_user_agr object.

Sorry I misunderstood your question.

But there is no easy way to find the authorization object used for particular transaction unless you debug the program.

Generally it is mention in the documentation of that particular functionality.

For example if you want to find out the authorization objects checked in pfcg then you need to go through the following document http://help.sap.com/saphelp_nw70/helpdata/en/ce/17533e5ff4d064e10000000a114084/frameset.htm and set the activity based on your requirement.

Same for function transactions, either you need to find the related document or need to consult the functional consultant to get the required value for that particular object.

Hope this will help.

-Pinkle

yes, Pinkle this helps me a lot, thanks a lot

can u tell me the perfect way to search documentation regarding particular tcode?

Hi Jimmy,

Please note that not all transaction code has authorization object documented.

If I were in your place then I just put the tcode in pfcg and ask function team for relevant values.

-Pinkle

oh ok, you mean in profile generator we have to ask related functional person about objects name and activities they want to give on those objects. right?

Right.

-Pinkle

thanks a lot!

Mostly the functional consultants will not know the technical names of objects and values, they can only decribe it from a functional point of vue. To translate the functional request in a technical role is the main task of a security consultant. If you do not know how ther are 3 options:

1 read the ABAP code and find the objects/values needed.

2 trace the process (ST01).

3 create test user with first isseu of role assigned and test this (adding all objects and values until it works as requested)

After you have found the right object do not forget to add them via SU24. More info can be found in SAP Security Calss room training and or authorisation made easy book (amazon.com)

Welcome to the world of SAP Security consulting!

hi Auke, thanks for reply.

can u give me an example of this process which u listed above like how we can read abap prog of a T-code, n how to identify that object in trace analysis. just one example if possible.

Thanks

Jimmy