Solved: Which authorization should be given to an abaper?

Former Member · ‎02-10-2009

Hello,

Which authorization should be defined in a role for an Abaper?

Regards,

Rachel

Edited by: Rachel on Feb 10, 2009 6:53 AM

Former Member · ‎02-10-2009

We follow the below steps for giving authorization to an abaper.

Kindly suggest other ways of giving authorization.

If we have to assign authorization for new user,

Step 1 : For the user,create a new role.

step 2 : Under authorization tab, manually assign object class BC_C,AAAB,BC_A,BC_Z to the role.

Also we would like to know,how to do the above using su21 trasnsaction.

Regards,

Rachel

pradeepmathewch · ‎02-10-2009

Hi Rachel,

Basically there is an auth class called BC_C which contains the development environment authorisation objects a user(ABAPer) requires from the BASIS layer.

May be you can go through it in SU21 and customize it according to your business needs.

Also, you need to add some more authorisation objects from the object classes AAAB, BC_A and BC_Z.

But these are all just BASIS level authorisaions reuired by an ABAPer.In the meantime, he/she may require access to Application authorisations also...(which you can find again in the transaction SU21 mentioning the application area).

Customize it according to your needs.

Hope it helps!

Thanks and Regards,

Pradeep

Former Member · ‎02-10-2009

We follow the below steps for giving authorization to an abaper.

Kindly suggest other ways of giving authorization.

If we have to assign authorization for new user,

Step 1 : For the user,create a new role.

step 2 : Under authorization tab, manually assign object class BC_C,AAAB,BC_A,BC_Z to the role.

Also we would like to know,how to do the above using su21 trasnsaction.

Regards,

Rachel

jurjen_heeck · ‎02-10-2009

> Step 1 : For the user,create a new role.

> step 2 : Under authorization tab, manually assign object class BC_C,AAAB,BC_A,BC_Z to the role.

>

> Also we would like to know,how to do the above using su21 trasnsaction.

You don't. PFCG is the transaction to create roles.

In the start screen of PFCG you can also search for existing SAP_* roles which you can copy and modify to your needs. The role SAP_BC_DWB_ABAPDEVELOPER looks promising to me.

I found it searching for single roles namend SAPDEVEL

Jurjen

Former Member · ‎02-10-2009

Hello Rachel,

First, An Abaper should get access to all the role irrespective of modules - Display only

You can extract the authorization object list for these t-codes. These t-codes are mainly used by ABAPers.

For General ABAP Bench in Development Environment:

SE38, SE11, SE80, SE37, SE36, SM37, SM35, SPO1, SE14, SE93, SE91, SE49, SE84, SE81 (For Transports - SE01, SE10, SE09) LSMW, SE30, SQ01, SQ02, SQ03, ST22, ST05 etc...

For Application Enabling:

SM59 (for RFC in development), BD87, BD64, WE20, WE21, WE41, WE42, WE30, WE31, WE60, WE81, WE82, BD57, SM58 (Reprocessing of Field RFC) and SALE

Hope it helps you!

Regards,

Geetha

Former Member · ‎02-10-2009

I agree with Jurjen's comment, and also search for [argument clinic|https://forums.sdn.sap.com/search.jspa?threadID=&q=argumentANDclinic&objID=f208&dateRange=all&numResults=15&rankBy=10001] for a previous discussion about the same.

Cheers,

Julius

Former Member · ‎02-11-2009

Hello,

We followed Jurijen's steps,copied role from SAP_BC_DWB_ABAPDEVELOPER .

When we were creating request for making changes in existing abap reports,threw an error "No authorization to create or change request or task"

When tried to check missing authorization in su53,it says

"You are not authorizedto use transaction in SU53"

what needs to be done ?

Thanks & Regards,

Rachel

pradeepmathewch · ‎02-11-2009

Hi Rachel,

So first you need give access to SU53. The easiest way to achieve this is by adding the transaction SU53 in the role menu of PFCG so that the system automatically takes all the relevant authorisation objects associated with SU53.

Then you may goto Authorisation tab and maintain those auth objects with 'Yellow' traffic signal.

Once this is done, you have access to SU53 transaction.

Second part of your question in the authorisation to create and release transports. This is controlled by the authorisaion object called 'S_TRANSPRT'.

You may add it to your role manually and customize it according to your need.

Hope it helps.

Thanks and Regards,

Pradeep

Former Member · ‎02-11-2009

Note that use of this object ( S_TRANSPRT ) also depends on how you have defined the QA approvals in the TMS system, and how it is setup in config. Also see S_CTS_ADMI which provides an override authority for it (much like S_BTCH_ADM does for S_BTCH_JOB).

Cheers,

Julius

jurjen_heeck · ‎02-11-2009

> The easiest way to achieve this is by adding the transaction SU53 in the role menu of PFCG so that the system automatically takes all the relevant authorisation objects associated with SU53.

Nice to know in this particular case is that SU53 only requires S_TCODE SU35 to work.

There is an SAP enduser role as well, called SAP_BC_ENDUSER, containing SU53 and several other often used transactions and authorizations. Create a copy of that one as well, modify it to suit your needs and standards and give it to everyone in the system.

Former Member · ‎02-11-2009

> Nice to know in this particular case is that SU53 only requires S_TCODE SU53 to work.

That is only true for starting the transaction on the user side and displaying the authorization values which were missing in the last check.

To explore further (e.g. display the authorization values which were found in the buffer, or display someone else's last failed authority-check for which they ran an SU53, etc) there are more checks.

This way you can give the user the possibility to display what they don't have, without letting them know what they do have....

Cheers,

Julius