Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

All SAP System Display Authorization

Former Member
0 Kudos

Hi,

I want to give FI, MM, SD, PP and Y& Zprograms in display mode pls suggest me a solution i have tried giving Activity 03 for each object also but i was not succeeded

Please suggest me a better solution

Regards

Rajini

5 REPLIES 5

Former Member
0 Kudos

Hi,

What I can understand from your post is that you want to create roles with display transactions of all modules. I think you could have used the search option and come across multiple threads leading to the same result.

If you just give 03 actvt for all objects does not necessarily help you.

Some transactions will just not execute if they do not have 01 as the actvt in the required objects.

The best way is to ask the business people for display specific tcodes and then create appropriate small business specific roles for MM, SD etc seperately.

Regards,

Subbu

Former Member
0 Kudos

Hi,

Try to create a new role by taking reference of SAP_ALL template and search of Activity field in the role and replace it with 03 if possible some objects need execute (16) authorization like S_RFC, we can give such objects depend on the usage 'Execute' activity and some objects need necessarily 01 or 02 activity those object do not enter any value just leave empty, so that at the time of generating profile it will ask for 'Generate' or 'Post-maint', select 'generate' and continue.

I hope it helps you but you need to have the knowledge about the objects and their usage.

Cheers....

Former Member
0 Kudos

Field ACTVT is not the answer to all ACTIONs which the user is able to take.

You need to find all the fields (there are about 50 of them) of all the objects (about 2500 of them) which are controlling the user's "mode" in all the transactions (several thousands...).

Little tip: SU24 is typically used to propose values for those fields, object specifically with a transaction context..........

Cheers,

Julius

0 Kudos

> Field ACTVT is not the answer to all ACTIONs which the user is able to take.

>

> You need to find all the fields (there are about 50 of them) of all the objects (about 2500 of them) which are controlling the user's "mode" in all the transactions (several thousands...).

I found 183 activity-related fields, scanning about 2900 objects (and skipping about 800 of those as they belonged to industry solutions not relevant for me) in an ECC 6 system. Not sure how many I missed

My conclusion after this search is that a technical-theoretical approach will never be a substitute for testing. Roles built/based on SAP_ALL should never be used in a productive system.

0 Kudos

Yeh, about 50 or 183... somewhere around there...

The catch is that some fields are activity related but not on their own (even a "name" field can be) and possibly only for certain transaction contexts (because there are other objects checked as well).

> My conclusion after this search is that a technical-theoretical approach will never be a substitute for testing.

One way of getting developers to make authority-checks and funckies to use objects consistently, is to have a policy that nothing goes into a role for a dialog user unless it is documented in SU24 with the correct activity related fields being proposed.

If they want their functionality in production, they will have to do it. Then try to build such a role based only on what is known in SU24.

A bugger are still executable reports though - those must make the correct checks and / or be assigned to exclusive authorization groups... SU24 cannot help there.

Cheers,

Julius