Skip to Content
0
Feb 16, 2009 at 10:26 AM

Authorization-check for infotype 0000 (actions)

646 Views

hi all,

I have always been under the impression that infotype 0000 (actions) cannot and should not be authorized on subtype level.

e.g. certain users are only allowed to execute specific actions belonging to their tasks.

we usually achieve this by restricting the users on usergroup parameter (UGR) so that they only see the actions that are allowed for them in PA40.

Now, it is still possible for users to access and execute actions they are not supposed to do through PA30 --> infotype 0000 and then selecting the subsequent subtype/action.

Master data access is still restricted by the assigned roles so no additional infotype access is granted, however, it is possible for users to execute a firing action where they are not supposed to.

as per note [555154|https://websmp230.sap-ag.de/sap(bD1ubCZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=555154|555154] it states that infotype 0000 does not have subtypes (see also table T582A), yet it is possible to restrict access to these subtypes when I test it.

what is the correct approach in this?

thanks in advance for your input!