Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Consultants not able to run T-Codes even after profiles are assigned.

Former Member

‎11-28-2011 7:32 AM

0 Kudos

Hello Everyone!

I'm trying to maintain authorization profiles for SAP Functional Consultants. I want it so that QM Consultant has authorization for using all QM T-Codes & can do only QM Customization, same for SD, MM and so on...

For this I've maintained a profile for MM in SU02-added all MM related objects, and have activated it.

But once I assign it to a user he's neither able to use the basic T-Codes like MM01-2-3 or ME21-2-3n nor able to do advanced customizations.

Is there a catch I'm missing here?

Any help would be appreciated.

Thanks!

Tejasav Kalra

6 REPLIES 6

former_member204634
Participant

‎11-28-2011 7:57 AM

0 Kudos

Hi

You should be creating roles instead of profiles for access requirement. In your case for sake of resolution; I hope you have provided s_tcode access inside the profiles. You can check via su53/st01 where the auth checks are failing.

Hope this helps

Prashant

Former Member
In response to former_member204634

‎11-28-2011 10:11 AM

0 Kudos

Dear Prashant,

I usually use PFCG to create roles, but creating consultants' profile is a challange. They need to have access to config. t-codes. So i had to resort to SU02 for adding different authorizations to composite profile. What do you suggest?

Dear Alex,

We're working on ECC 6.0

Thanks!

Tejasav Kalra

Former Member
In response to former_member204634

‎11-28-2011 10:32 AM

0 Kudos

Hi Tejasav,

I would suggest you to add the authorization objects to a role & then generate the profile through PFCG. Assign this role to the users. If you assign only the profile to users, the PFCG_TIME_DEPENDENCY job will remove the profile form the user as there is no associated role against it.

Regards,

Dipesh

Edited by: Dipesh Dutta on Nov 28, 2011 11:33 AM

Former Member
In response to former_member204634

‎11-28-2011 4:37 PM

0 Kudos

Hi,

As you are on ECC6 I really wouldn't waste time with profiles. I'm not sure what your profile design looks like but you'll need transaction start auths (S_TCODE) along with the auth objects. [For those newbies out there, once upon a time S_TCODE didn't exist as a check and everything was provisioned through a limited subset of auth objects granting access to functionality areas]

Use PFCG to achieve this as with SU24 configured you will (usually) get the right auth objects pulled through into your role when you add a menu transaction.

While it would be best to start from fresh using a role, you could do as previously recommended and import your profile into a role and then pick up maintenance from there. It will be messy but one step better than chopping about with profiles.

Former Member
In response to former_member204634

‎11-29-2011 10:55 PM

0 Kudos 
[For those newbies out there, once upon a time S_TCODE didn't exist as a check and everything was provisioned through a limited subset of auth objects granting access to functionality areas]

No cookies for you for making me feel old!

Former Member

‎11-28-2011 9:31 AM

0 Kudos

Hi,

Which version of SAP are you working on?

Cheers