Skip to Content
avatar image
Former Member

Not add authorization objects that exist in role when adding transaction

Hi All,

Is there an option existing in SAP that:

when adding a transaction to a role (or edit existing role) and the authorization objects for this transaction have been maintained in the role, the system should not be adding again the 'standard' SU24 values in the role (which we should then again 'inactivate').

Kind regards,

Kristof.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

7 Answers

  • Best Answer
    avatar image
    Former Member
    Jan 11, 2010 at 01:02 PM

    For example:

    Imagine you have an administrator role to with transactions SCC1, SCC4, SE16 added via the role menu.

    The SU24 for these transactions considering object S_TABU_DIS:

    SCC1

    ACTVT 02

    ACTVT 03

    DICBERCLS SS

    SCC4

    ACTVT 01

    ACTVT 02

    ACTVT 03

    DICBERCLS SS

    SE16

    ACTVT 03

    DICBERCLS

    But in the administrator role, I want to give S_TABU_DIS with ACTVT = * and DICBERCLS = *.

    By doing this and editing the role in 'edit expert mode: read old version and compare new objects', I will get the 3

    different instances in from the SU24 for the 3 transactions from above (and an instance with my ACTVT = * and DICBERCLS = *).

    By I would only like to have the instance with ACTVT = * and DICBERCLS = * so I inactivate all the other instances, resulting in a large list of inactive objects.

    > can I conclude that for administrator roles, it is best not to add the transactions via the menu of the role, but instead adding all the relevant objects manually.

    In this example:

    Add

    S_TCODE: SCC1, SCC4, SE16

    S_TABU_DIS: ACTVT = * and DICBERCLS = *

    (+ all the other objects related to SCC1, SCC4 and SE16)

    thanks

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      The role might be for the DBA's who anyway might have access to all tables at that level?

      If it only has this access, and no development access, memory management, etc from the application then it could still be in the ball park of reason.

      I think display access should do most of the trick, but a few tables can be maintained from SE16 & SM30 and for the purpose of application table change logs and F4 search help this makes more sense than DB tools. They will enter the correct values, or find the missing ones.

      So, I would split the S_TABU_DIS authorizations into 2: One for display (03) and one with explicit values for the groups with change (02).

      > What will you do when S_DEVELOP is pulled into your administrators' role?

      Now ex-DBA's with a boat skipper license... that is scary.. 😊)

      Cheers,

      Julius

  • Jan 08, 2010 at 10:53 AM

    Hi Kristof.

    You can edit the role in expert mode (it is an option in the authorisations tab of the role). I believe there is an option "edit old status".

    This will treat the symptoms, but usually this happens because the objects are in "changed" mode as SU24 has not been considered during the role build.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jan 08, 2010 at 11:16 PM

    Another "common mistake" is that you deleted the standard authorization earlier. When subsequently opening the authorization data it does not know this anymore, so pulls it back in again.

    Your options are described in [SAP Note 113290|https://service.sap.com/sap/support/notes/113290]

    I sometimes wonder what that "Delete" button could possibly be good for in a standard authorization.. and am still looking 😊

    Cheers,

    Julius

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi,

      What Julius wrote before is the way of working. I myself, if the role is large or very critical, will make a copy and see what is happening. You can get a lot of information of the status of the objects what is in front of the object when you get in the authorizations. You see new, old, maintained, etc. You can compair the roles in SUIM (the copied one and the one you are working on) and see what is happening. It takes some time, but can be very handy.

      Have fun

      Bye Jan van Roest

  • avatar image
    Former Member
    Jan 08, 2010 at 12:28 PM

    Hi Kristof,

    If you want to make any changes to the standard instances which are pulled by SU24 (First time) , then its always a good practise to inactive that standard instance and manually add the instance --> maintain the field values as required.This will result in two instances one it standard(inactive) and the other is Manually added (Active).

    If you make any changes to the standard instance then it will change that instance status from Standard to Change or Maintained. This will result in just one instance which is Change or Maintained hence the next time if you open the role in the change mode then it will again pull the standard instance of that object as it was found missing in the role.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jan 08, 2010 at 10:28 PM

    > .... the authorization objects for this transaction have been maintained in the role.

    It is adding them for different transactions in S_TCODE, which may or may not be related to the menu transactions.

    Click on the icon which looks like "the Alps in the early morning with the sun rising in the background" and you will see the transactions and which values they pull in.

    If you dont want them, then either remove the values from the proposal indicators in SU24 or maintain them consistently.

    If they are pulled in as "standard" with blank or duplicated values, then see this thread:

    Cheers,

    Julius

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jan 11, 2010 at 09:57 AM

    Thanks for your replies.

    Is it normal that "administrator" roles are then overloaded with 'inactive standard objects' ?

    For administrators, the objects that are coming with a particular transaction are sometimes put to full authorization (with * values) and the value from SU24 are in this case neglected. This means that when such role will be taken in 'edit expert mode', the standard objects will be added again with the values from SU24. Resulting in roles where you have 10 inactive standard objects and 1 active with * authorization...

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      The advantage of a wiki is that everyone can contribute to it...

      I will add it to the sticky for now, until Shekar has his wiki up and running 😉

      Cheers,

      Julius

  • avatar image
    Former Member
    Jan 12, 2010 at 10:14 AM

    Thank you all for the information on this topic.

    Add comment
    10|10000 characters needed characters exceeded