HU02 - restrict delete option for user

Former Member · ‎11-12-2008

Hello

Does anyone know, from an authorization perspective, if I can restrict a user who has HU02 tcode, and btw only HU02 tcode exists in the role, from deleting a handling unit.

I've unchecked both the options Create & Delete in the role yet the user is able to delete units.

I ran a trace to see if there are any objects but all I saw in the trace was bunch of other tcodes that were run in the back ground.

thanks

Raj

Former Member · ‎11-13-2008

Hi Raj,

I think the best way is to look at the Authorization Objects Check/Maintained for HU02 tcode.

Also go to SE93 and check for any additional tcodes being called from HU02.

Go to SU24 and plug in HU02 and the called tcodes and find the Check/Maintained Auth objects against the tcodes.

Identify the Authobjects responsible for Handling units.

Once found, Try to restrict the user from Deletion of Handling Unitis in tha authorization values for the respective Auth objects.

If still the User is able to delete, switch on a trace on the user and check the Authorization trace.

then you may also need to examine the code behind the tcode and may be talk with the funtional folks dealing with Configuration options.

Hope this helps.

Regards,

Kiran Kandepalli

Former Member · ‎11-14-2008

Hi,

In addition of the previous answer, look into transaction SE97 then you see the transactions called by HU02 if you put this in the right field. The table behind this is TCDCOUPLES with SE16 you can see which transactions are called by HU02 or you can see which transaction can call HU02.

With that and su24 you can get a lot further.

have fun

Bye Jan van Roest

Former Member · ‎11-17-2008

Kiran

Before I came to the forum I already did all that you talked about...the HU02 tcode calls many other tcodes, from the trace log, which I cant restrict...and the role that I have with HU02 tcode has no object at all and yet the user can delete handling units.

Thanks for your time.

Raj

Former Member · ‎11-17-2008

In some cases, where it is considered not critical I guess, the application will not make all the checks you want. It might assume that the user has already passed other checks, which will then determine what can be sent to HU02.

In these cases, I think it is fair to assume that another transaction calling this one should take care of more granular authority - even if not perfect. But that activity checks are missing, seems a bit extreme.

Ideally, it is always better and easier to implement authorization security if the user has the same experience, regardless of how they get there (whether the tcode is present or not makes little difference in these cases - it is just an upfront check).

Either reconsider your choice of transaction (look for a different one) or open a message with SAP to tighten the checks in the core transaction.

If the user can start reports directly, they will anyway hose your tcode security (due to the above assumptions of authority checks being located in the correct places).

Cheers,

Julius

Edited by: Julius Bussche on Nov 17, 2008 11:18 PM

Former Member · ‎11-18-2008

Julius

I will have to talk to the developers tomorrow.

Raj

Former Member · ‎11-18-2008

I took a quick look as well, and I think you are correct. (although note that it was a sandbox without data!)

I could not see any obvious checks, and the function for creating subsequent goods movements exposes a parameter via which checks can be disabled, which they by default are.

But, there is at least one enhancement point via which your developer can try to activate checks again by creating a switch.

Good luck,

Julius

arjuna_bandara · ‎02-14-2024

Alternatively this can be done through a user status profile assigned to the relevant packing material type.

Business transaction "delete" can be forbidden for a user status.