- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- Assign a table to many table-authority-groups?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Assign a table to many table-authority-groups?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-04-2010 10:19 AM
Hi,
can one assign one table to many table-authority-groups in SE54? I'am creating a Role with almost SAP_ALL, though there should be some restrictions concerning client properties for example. Until now I excluded SAP_ALL from S_USER_PRO, SYSC and TABL from S_CTS_ADMI and SCC5 from S_TCODE. I'am aware of the functions to change tables in SE16 AND SE80. Therefore I'am thinking about a restriction that allows only reading of T000. I know the table-authority-group SS which one could use to constrain access to the table to readonly, but there are many other tables in SS. Therefore I would like to create two own groups, one like SS but without T000 and one that contains only T000, and restrict access to the second group to readonly. When I tried this I get a message that there is already a row with the same key, though I suppose one might not be able to assign two groups to one table.
Nevertheless I would be very happy about your Suggestions .
best regards
floweb
Edited by: floweb on Feb 4, 2010 11:20 AM
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-04-2010 10:40 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-04-2010 10:44 AM
You can only assign 1 auth group to a table. Even if you did this you would not meet your restriction requirement as starting from SAP_ALL is never recommended. You need to develop a role from scratch, there is lots of info on this forum and in the FAQ's
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2010 2:44 PM
Thank you! You are probably right as far as the "real" security of an Admin role concerns.
But this role is intented to prevent a new admin from quick accidential actions that might harm the system. At the moment my intention is not to create a role that prevents the admin from intentional bad actions.
I think I found some "buttons" that fit these simple requirements.
I deleted SAP_ALL in S_USER_PRO,
SYSC in S_CTS_ADMI and set S_TABU_CLI to 'X'.
Therefore at least the role constrains SU01, SE06, SCC4 AND SCC5.
Thanks and best regards
floweb
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2010 2:56 PM
Hi ,
If I understood you correct, I believe that you are trying to let the table T000 only to display and not to edit mode, but though you restrict access to SCC4 and table access through auth groups, there are still other ways like you can even change this table in debug change mode as you are trying to assign more access in the role.
Regards,
Nanda
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2010 5:29 PM
>I think I found some "buttons" that fit these simple requirements.
>I deleted SAP_ALL in S_USER_PRO,
>SYSC in S_CTS_ADMI and set S_TABU_CLI to 'X'.
>Therefore at least the role constrains SU01, SE06, SCC4 AND SCC5.
I don't understand this and can see some holes in it already. Can you explain?
Cheers,
Julius
- SAP Managed Tags:
- Security
