10-10-2009 12:41 PM
Hi Experts,
When user needs a S_DEVELOP Object,provides the SU53 with P_Group as <dummy>.We also provides the user with S_Develop with P_GROUP as blank.Even P_GROUP field is blank, user is able to work.Then what is the purpose of P_Group field in S_Develop?
Kindly help me.
When I searched in Internet,I am not able to get enough information about P_GROUP field on S_DEVELOP Object.
Regards,
Karthika
10-10-2009 1:35 PM
You needn't search on S_DEVELOP for this but on <DUMMY>. The dummy value check actually means that the programmer in this case doesn't mind what the value of P_GROUP is. The other fields will have understandable values in the SU53. In some cases a programmer will construct an AUTHORITY-CHECK in such a way that none of the fields are checked for their contents. If you have the object in your role, with any values, the check is passed.
To build a role which provides enough access for the dummy check but doesn't allow anything else you can fill the object field with two quotes around a space. If there's less room than three characters you can skip the space and finally the second quote.
An example of dummy values:
' '
''
'
10-10-2009 1:35 PM
You needn't search on S_DEVELOP for this but on <DUMMY>. The dummy value check actually means that the programmer in this case doesn't mind what the value of P_GROUP is. The other fields will have understandable values in the SU53. In some cases a programmer will construct an AUTHORITY-CHECK in such a way that none of the fields are checked for their contents. If you have the object in your role, with any values, the check is passed.
To build a role which provides enough access for the dummy check but doesn't allow anything else you can fill the object field with two quotes around a space. If there's less room than three characters you can skip the space and finally the second quote.
An example of dummy values:
' '
''
'
10-10-2009 2:01 PM
Hi,
Thanks for your reply!
But When I checked on P_GROUP field,it shows description as 'Authorization Group for ABAP/4 Programs'.
May I know what is Authorization Group for ABAP/4 programs?It is same as authorization group for tables(S_TABU_DIS)?In what basis it is getting allocated to the program?
When I check for tcodes,P_Group field is assigned only to few Tcodes(for all STMS* tcodes as * ).
Kindly help me.
Regards,
Karthika
10-10-2009 2:15 PM
No, that wasn't it.
(http://help.sap.com/saphelp_nw70/helpdata/en/9f/dbaccb35c111d1829f0000e829fbfe/frameset.htm)
But there is an interesting text on that page:
"Authorization Check for ABAP Programs
For ABAP programs, the two objects S_DEVELOP (program development and program execution) and S_PROGRAM (program maintenance) exist. They contains a field P_GROUP that is connected with the program attribute authorization group. Thus, you can assign users program-specific authorizations for individual ABAP programs. "
Edited by: Jurjen Heeck on Oct 10, 2009 3:15 PM
10-10-2009 2:32 PM
Hi,
P_GROUP is a field in where you enter the auth groups related to the ABAP programs. Its not necessary that all the ABAP programs have auth groups assosiated with it, actually it all depends on how the coding is done.
If auth groups are associated with ABAP programs then you need to assign them in S_DEVELOP and S_PROGRAM object (P_GROUP field) to give necessary authorization for execution of those ABAP programs, again it all depends on how the checks were configured in your code.
To know what auth group (P_GROUP) is associated with a Tcode
1- Go to SE93
2- Enter the Tcode check for program associated with the Tcode.
2- Go to SE38 enter this program name, click on attributes and the display.
3 - Check out the Auth group field in the pop up.
For more details information of these Auth groups you can refer to table TRDIR, TDGP or TDGPT.
10-10-2009 1:37 PM
Hello
Actually, the process needs authorization on S_DEVELOP object to complete the process. the p_Group fields is part of S_DEVELOP and not required any authorization as you stated above p_GROUP <dummy>
Regards
Anwer Waseem
SAP NetWeaver
10-10-2009 6:59 PM
p_group in s_program is used for submitting the report, protecting variant maintenance, scheduling it in a background jobstep, etc. So, it is for using the report.
p_group in s_develop is used for the development environment of the report, such as maintaining text elements, navigation in where-used-lists, changing the report attributes - which include the authorization group itself.
If an auth group has been set via report RSCSAUTH, then it implies an intention to use it for S_PROGRAM control in SA38, SM37, etc. S_DEVELOP works better using packages and object types in my opinion.
If you attempt to change the auth group via SE38, SE80 etc when it has already been set from RSCSAUTH, then the system will warn you. But you can accept the warning and create an inconsistency for a while... rather always use RSCSAUTH for both when making changes.
S_PROGRAM is more usefull for you to use the group in security, but S_DEVELOP is stronger. Please be carefully with all aspects of object S_DEVELOP.
Cheers,
Julius