Skip to Content
avatar image
Former Member

disable the authorization object

hi

i to make a role for functionals except basis tcodes. for this i am going to make a role (zsample), copied sap_all profile, disable Basis Objects (BZ_A, BC_C, BC_Z) and assigned it to them.

can u tell me the procedure for disabling auth objects

regards

ramesh

Edited by: Ramesh Sammiti on Mar 17, 2008 8:17 AM

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • Mar 17, 2008 at 07:32 AM

    I would suggest that you disable Basis Tcodes instead of objects

    In object S_TCODE use the "From and To "

    e.g. to restrict all Tcodes from DB01 to DB20 use this:

    From and To

    0* - DB00

    DB21 - Z*

    To disable objects, simply click on the Deactivate option for that Object.

    Add comment
    10|10000 characters needed characters exceeded

    • >

      > I would suggest that you disable Basis Tcodes instead of objects

      > In object S_TCODE use the "From and To "

      That won't stop the user from being able to run the functions. Restricting the objects will make it much harder.

  • avatar image
    Former Member
    Mar 17, 2008 at 07:59 AM

    Hi Ramesh,

    If you are 4.6c machine then you will find a profile with name SAP_ALL_DISPLAY and you need to take care of some S_* objects and K_* objects which have activities other than 03.

    Other option is to restrict the BZ_A, BC_C, BC_Z class objects with only display activity.

    There are many posts on this issue.

    If you need further help then follow the link.

    Security

    Rakesh

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      hi Rakesh

      thank u for quick reply. i am junior guy. please tell me the procedure for restrict the object(BC_A, BC_C....) to display

      regards

      Ramesh

  • avatar image
    Former Member
    Mar 17, 2008 at 09:38 AM

    Hi Ramesh,

    BC_C, BC_Z are basis classes in which you will find many basis objects like S_USER_AGR(needed for role check), i dont suggest you to disable the entire class. Because some of the objects are needed for users for normal operations like display.

    So what you can do is

    1. Decide which tcodes you want to assign to the role annd restrict on tcode level itself, i.e restricting the activity to 03 in pfcg for related objects.

    2. Give SAP_ALL to the user and make sure you restrict each object of class BC_C, BC_Z on their activity.

    You can find many posts on these topics.Do an intense search.

    logging off....

    Rakesh

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Alex Ayers

      Yes Alex i mean copy of SAP_ALL and restrict it only to display.

      Ramesh other option with you to make a list of all the Tcodes and related objects(tcode related objects can be obtained from su22 or su24) needed by the funtional team and create a matrix out of it.

      Eg:

      Transactions

      Unique Auth Object

      Authorization Fld

      Authorization Value Low

      Authorization Value High

      This is manual job and takes time. But by maintaining a matrix you will get the job done perfectly, and you can impose restriction in an effective way.

      Rakesh

  • avatar image
    Former Member
    Mar 17, 2008 at 05:07 PM

    Hi Ramesh,

    Go to the role in change mode (transaction PFCG).

    Under the 'Authorizations' tab, under 'Maintain Authorization Data and Generate Profiles' go to 'Change Authorization Data'.

    In the profile, whichever authorization object you want to deactivate, click on the small rectangle icon (with a small red rectangle on the side) just besides the authorization object name. This will cause the authorization object to be inactive.

    -Neha

    Add comment
    10|10000 characters needed characters exceeded