Skip to Content
avatar image
Former Member

All SAP System Display Authorization

Hi,

I want to give FI, MM, SD, PP and Y& Zprograms in display mode pls suggest me a solution i have tried giving Activity 03 for each object also but i was not succeeded

Please suggest me a better solution

Regards

Rajini

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • avatar image
    Former Member
    Jan 09, 2009 at 05:16 AM

    Hi,

    What I can understand from your post is that you want to create roles with display transactions of all modules. I think you could have used the search option and come across multiple threads leading to the same result.

    If you just give 03 actvt for all objects does not necessarily help you.

    Some transactions will just not execute if they do not have 01 as the actvt in the required objects.

    The best way is to ask the business people for display specific tcodes and then create appropriate small business specific roles for MM, SD etc seperately.

    Regards,

    Subbu

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Mar 13, 2009 at 11:16 PM

    Hi,

    Try to create a new role by taking reference of SAP_ALL template and search of Activity field in the role and replace it with 03 if possible some objects need execute (16) authorization like S_RFC, we can give such objects depend on the usage 'Execute' activity and some objects need necessarily 01 or 02 activity those object do not enter any value just leave empty, so that at the time of generating profile it will ask for 'Generate' or 'Post-maint', select 'generate' and continue.

    I hope it helps you but you need to have the knowledge about the objects and their usage.

    Cheers....

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Mar 14, 2009 at 09:04 AM

    Field ACTVT is not the answer to all ACTIONs which the user is able to take.

    You need to find all the fields (there are about 50 of them) of all the objects (about 2500 of them) which are controlling the user's "mode" in all the transactions (several thousands...).

    Little tip: SU24 is typically used to propose values for those fields, object specifically with a transaction context..........

    Cheers,

    Julius

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Yeh, about 50 or 183... somewhere around there... 😉

      The catch is that some fields are activity related but not on their own (even a "name" field can be) and possibly only for certain transaction contexts (because there are other objects checked as well).

      > My conclusion after this search is that a technical-theoretical approach will never be a substitute for testing.

      One way of getting developers to make authority-checks and funckies to use objects consistently, is to have a policy that nothing goes into a role for a dialog user unless it is documented in SU24 with the correct activity related fields being proposed.

      If they want their functionality in production, they will have to do it. Then try to build such a role based only on what is known in SU24.

      A bugger are still executable reports though - those must make the correct checks and / or be assigned to exclusive authorization groups... SU24 cannot help there.

      Cheers,

      Julius