- SAP Community
- Products and Technology
- Additional Q&A
- seperate authorisation to change fields in transac...
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
seperate authorisation to change fields in transaction XD02 and FD02
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 11-20-2008 4:40 PM
I have a small problem and I was wondering if somebody could help.
The user asked me to differentiate in a transaction (XD02 and FD02) the access of changing or simply displaying a field based on Users.
I tried to solve the problem in the following manner:
1. As the field didn't exist (ZTERM and VLIBB), I created an authorization object via transaction SU20.
2. In Authorization maintenance SU21, I created four Authorization objects, 2 for display ACTVT and 2 for Change.
3. These authorisation objects where attributed into transaction SU22 and SU24 for the transactions (XD02 and FD02).
4. Afterwards I run all checks which roles have to be changed via transaction SUIM.
5. I changed the affected roles (via transaction PFCG) and added the auhtorization objects, in a first time, I only attributed display activity.
6. But there is still a problem. The affected user can still change the fields even though he shouldn't be able to.
I checked via transaction SUIM who still has access to the authorization object but the user was not in the list. Do you have any ideas?
Thank you in advance.
Accepted Solutions (0)
Answers (3)
Answers (3)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hello,
I found the answer to the problem.
Problem description: Give change access only to a restricted user group in specific fields of transaction XD02 and FD02.
The solution is SAP standard. In table T055 and table T055G you need to add the fields that are relevant for authorisations. These fields will be added in authorisation object F_KNA1_AEN which are hardcoded in the transactions XD02 and FD02.
That means, that any other solution described before won't work.
Menu access for T055 and T055G is
SPRO--> Financial Accounting --> Accounts Receivable and Accounts payable --> Customer Accounts --> Master Data -->Preprations for Changing Customer Master Data
In your Role (transaction PFCG) you need to include the authorisation object F_KNA1_AEN in order to grant access.
Thank you all for your help
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Michael,
I think even though you created custom authorization objects and then performed Check/Maintained the custom auth objects against these tcodes, it is not going to work as you desired because XD02 and FD02 are SAP Standard tcodes.
As these tcodes are hardcoded without any authorization checks based on the new custom auth objects, it is not going to work.
I think the best way is to talk with your ABAP programmer and identify the Authority Check statements in these tcodes.
Regards,
Kiran Kandepalli.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hello Michael,
If you are able to find the objects from the trace as per what description Kiran has provided to use the transaction; please let us know whether it is a custom or a standard object which gives access.
Hello Kiran,
Well, as per my knowledge I believe we have the provision to link/call a custom object in a standard transaction too but im not too sure. Lets see what results Michael gets for the same and maybe then we will get a clarity on the same.
Regards,
Hersh.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hello Michael,
There are different possibilities for the same for which you need to track on the following things:
1. Have you removed/restricted the previuos authorization objects which were used to control the two transactions initially from all the roles? If not please do the same as in this case the new objects you have created would not restrict the previuos ones, which still give access to the users.
2. The best and fool proof way to get to this would be to run a TRACE, which will give you the exact result as to which object you need to restrict for this action of the user. Based on the result of the trace you can then restrict the corresponding object which gives the user this authorization.
Regards,
Hersh.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Michael,
You can switch on a trace on any user using ST01 transaction.
After the user has executed transaction, you can switch off the trace in ST01 and then go and check the Authorizations Analysis which will output the actual authorization objects and the fields he has touched in the transaction.
Hope this helps.
Regards,
Kiran Kandepalli.
- Migrating BP Counterparty role (TR0151) in Technology Blogs by Members
- CRM Basic Technical Info for ABAPers in CRM and CX Blogs by Members
- HANA Client copy error: transaction rolled back by an internal error; Search limit exceeded in Technology Q&A
- ABAP developers can now write files to AWS S3 using AWS SDK in Technology Blogs by Members
- EAM Roles missing authorisation in Product Lifecycle Management Q&A
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.