Skip to Content
avatar image
Former Member

giving user access to display SAP table without using standard SE16

Hi - We have serious security concern in this client and they want to find an alternate way to allow users diaplay access to tables relating to financials - specially BSEG , BKPF , COEP , etc.

Is there a way.

We are cnonsidering developing a new object like S_TABU_DIS and use the list of tables maintained in another table.

Is there a easier way to do this?

Thanks for your help

SSSI

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

6 Answers

  • Best Answer
    avatar image
    Former Member
    Oct 25, 2010 at 06:54 PM

    Hi -

    I want to thank each of you who gave meaningful input.

    Jurgen - thanks for bringing out the SOX concern. This is exactly the issue.

    The key point is we want to be able to restrict acees to data - the users I am looking help for need to be able to view only Finacial data - across the system ( they are the worldwide owner for finance data ) - but they should not be able to view logistics information.

    Harimander / Supreet

    creating Z transaction for each table would be a lor of work.

    Raghu - you menationed about the S_TABU_LIN which will restrict by org unit. This is good - but not able to control all Fi.

    I could not see S_TABU_NAM - will this help in my goal. How to get it in the system - we are no ECC 6.0.

    At this time we were contemplating using list of tables to control the access. The only problem is this will need maintenance.

    I belive we can create the object to include the table.

    Any suggestion to minimise the work? or with this background any more input.

    I could use SQVI - query viewer - does it have any control on tables?

    Thanks everyone

    Sajal

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      > I want to thank each of you who gave meaningful input.

      >

      There is a better way of saying thanks... Please check the line in your email starting like "REMINDER:.... " 😊

      > The key point is we want to be able to restrict acees to data - the users I am looking help for need to be able to view only Finacial data - across the system ( they are the worldwide owner for finance data ) - but they should not be able to view logistics information.

      This is for why the Table level security (Objects S_TABU_DIS, S_TABU_NAM, S_TABU_LIN, S_TABU_CLI) has been introduced. Any transaction needs any of these Objects will need proper value for the Table Authorization group in which the Tables are aligned. But for some groups you may get some other (or better say Extra) tables assigned to it and thus with the access to those groups, users will get access to those extra tables as well.

      > Harimander / Supreet

      > creating Z transaction for each table would be a lor of work.

      Correct!

      > Raghu - you menationed about the S_TABU_LIN which will restrict by org unit. This is good - but not able to control all Fi.

      > I could not see S_TABU_NAM - will this help in my goal. How to get it in the system - we are no ECC 6.0.

      >

      > At this time we were contemplating using list of tables to control the access. The only problem is this will need maintenance.

      > I belive we can create the object to include the table.

      Before I go for the suggestion you may need / want to get a details of the meaning of the Authorization Objects controlling the Table level security in the [SAP Note 1434284 - FAQ Authorization concept for generic table access|https://websmp230.sap-ag.de/sap%28bD1lbiZjPTAwMQ==%29/bc/bsp/spn/sapnotes/index2.htm?numm=1434284].

      Also check the mentioned Notes within this note.

      > Any suggestion to minimise the work? or with this background any more input.

      Perhaps the idea beside which you are wandering is not Custom TCode or Custom Authorization Objects. It should be Custom Table Authorization Group. This is the case where SE54 is going to help you to create some authorization groups and then assign the tables in those respective groups and then assign these Groups to the respective group of users in the Authorization Objects checked. But make sure to remove the standard value proposals (here your objects will turn into "Changed" status which used to create issue during later time).

      A better way to create those custom Table Authorization Groups are to align them with User Groups (like FI_TAB for FI users, PM_TAB for Plant Maintenance users etc.)

      > I could use SQVI - query viewer - does it have any control on tables?

      No. It is a different idea to use SQVI.

      Regards,

      Dipanjan

  • avatar image
    Former Member
    Oct 23, 2010 at 06:57 AM

    Hi Sajal,

    When you are only granting display access, I don't see any audit issues. If you are granting the access to the right set of people (with only display access), I presume no risks. May be you are not clear at the criticalities that your clients is looking at.

    Also, what is the intention of developing a custom object simlar to S_TABU_DIS? Both are for displaying data in the tables right?

    If you wish to restrict data to a specific set of users based on company code, or plant you may consider using S_TABU_LIN.

    Also, look at the newly introduced authorization object S_TABU_NAM which allows you to give authorization to specific data.

    If you require more information on restricting, revert with more clear explanation on your requirement.

    Hope this information helps you!!

    Regards,

    Raghu

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      I was referring to the mentioned tables

      That I missed. I thought it was a general remark in which case it would have been an incorrect one.

  • avatar image
    Former Member
    Oct 22, 2010 at 10:05 PM

    What's wrong with using standard application objects and reports?

    Cheers,

    Julius

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 25, 2010 at 07:15 AM

    per my understanding best ALTERNATE way will be to create Z... tcode for each of these tables

    then user can display or change only via THAT tcode

    hope that help

    regards,

    Surpreet

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 25, 2010 at 02:22 PM

    Hi Sajal,

    You can take help of your ABAP team for getting Z Tcodes created for each and every table you want.These Z tcodes will skip the Se16 window and directly take you to the table and it can be either in Display mode or Change mode,which ever is required.

    We had the same scenario and this is how we solved our problem.

    Thanks,

    Harimander Singh

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 26, 2010 at 11:31 AM

    Hello Sajal,

    You had a option to use the parameterized Tcode only for the critical tables and assign it to the roles.

    Remove the authorizaion Group for the FI tables.

    Best Regards

    Vikas

    Add comment
    10|10000 characters needed characters exceeded