Skip to Content
author's profile photo Former Member
Former Member

SAP Directories - AL11 - S_DATASET

Hi All,

There are two Roles say ZXX and ZYY which are present in all the jobs in a Development system.

Both the roles have authorization object S_DATASET where FILENAME field is unrestricted.

The Transaction AL11 present in some role say ZAA where the authorization object S_DATASET is restricted to certain files under the FILENAME field.

Since the users are assigned with the jobs which includes role ZXX and ZYY,they are getting display access to ALL SAP Directories, regardless of the single role ZAA has S_DATASET restricted.

Please provide a way to restrict users to see particular path files only.

Thanks & Regards,

Gopi Lakshmipathy.

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

2 Answers

  • author's profile photo Former Member
    Former Member
    Posted on May 04, 2009 at 08:47 PM

    Gopi,

    the roles - ZXX and ZYY are not restricted and they have access to all the files / dataset under S_DATASET?

    If that is the case then this needs to be restricted. AL11 just gives you the list of all the SAP directories and is no way related to give access to the files and folders - this access is only controlled by S_DATASET.

    Thanks

    Khan

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on May 04, 2009 at 09:03 PM

    The file name is also not of much use if you do not know it's name.

    Generally, the program will know it's name, so restricting the program field of S_DATASET (and protecting variants in VARCH...) will make more sense.

    If you want to protect the directory path to the file, then you need to use the protective authorization group concept of object S_PATH.

    Take a read through function module AUTHORITY_CHECK_DATASET and search the forum here for discussions about it. "SPTH" is a good search term.

    Cheers,

    Julius

    PS: Someone asked me an interesting question recently about this: As the directory paths will change between DEV, QAS, PROD... how do we develop roles for S_DATASET and S_PATH and transport them without changing them in the target systems? Org levels for server names seemed to be an option, but it seemed a bit odd to create... Any other ideas? (or should I open my own thread 😊

    Edited by: Julius Bussche on May 4, 2009 11:05 PM

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Andreas Noack

      Yes, in this case the temptation to create a system specific attribute to the role and carve S_DATASET and S_PATH out of the other roles is almost irrresistable...

      However, if this is only for a specific solution (program name) then what about all the other roles? If it is for all the roles requiring S_DATASET then how many "delta roles" are you going to end up with?

      Prerequisite is that you have maintained explicit program-names in all the S_DATASET authorizations of all the roles so that you are able to isolate this /CCC/* program context here without the others overriding it.

      That can only be done by maintaining SU24 and getting everyone (including particularly the developers) to play along with it. There is no other sustainable way IMO.

      See [How to get hit by the ABAP authorizations bus, and survive to tell the tale - Part 2|http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/11687] [original link is broken] [original link is broken]; which deals with exactly this example.

      Cheers,

      Julius

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.