Solved: How to restrict authorization to a z transaction

former_member184509 · ‎08-25-2012

Hi Friends

We have a Z transaction code (ZRIE), currently all users having authorization to VA01 also have authorization to ZRIE. More than 100 users have authorization to ZRIE

However, new requirement of the business is only selective 6 user IDs should have authorization to ZRIE.

ZRIE is the clone of VA01 .

Could you pls mention your ideas how we can achieve it ?

Thanks

Former Member · ‎08-25-2012

Hello Rusheek,

It's simple if you work at role level. Just search for roles with this transaction and remove it from the roles that are assigned to the people that mustn't have access to it. If necessary, include the tx in other roles, but make sure that those roles are assigned to the right people.

The worse and incorrect approach would be remove it from all roles and create a new role exclusive for it that should be assigned to the 6 required users.

Anyway, if ZRIE is a clone of VA01, why remove the ZRIE and not the VA01??. It doesn't make sense...

There also many ways to solve the issue, like work at development level with validation rules. You can also create a custom authorization object that must be checked in the tx, and later assign it to the correspondind users... and a lot of weird solutions, but the only correct approach is work at role level as I mentioned first.

And... before making any changes, make sure that the business requirement is correct .

Cheers,

Diego.

Former Member · ‎08-25-2012

Hello Rusheek,

It's simple if you work at role level. Just search for roles with this transaction and remove it from the roles that are assigned to the people that mustn't have access to it. If necessary, include the tx in other roles, but make sure that those roles are assigned to the right people.

The worse and incorrect approach would be remove it from all roles and create a new role exclusive for it that should be assigned to the 6 required users.

Anyway, if ZRIE is a clone of VA01, why remove the ZRIE and not the VA01??. It doesn't make sense...

There also many ways to solve the issue, like work at development level with validation rules. You can also create a custom authorization object that must be checked in the tx, and later assign it to the correspondind users... and a lot of weird solutions, but the only correct approach is work at role level as I mentioned first.

And... before making any changes, make sure that the business requirement is correct .

Cheers,

Diego.

former_member184509 · ‎08-27-2012

Diego

Thanks for your reply.

Could you pls mention what is tx in your reply? I am not security consultant.

1.For certain business process, we use only YRIE not VA01.

2.This is just to mention that it's not possible to restrict authorization to whole transaction code (VA01 or YRIE), only authorization can be ristricted to certain sales document types through standard role changing method. Just could you pls let me know that my understanding is correct ?

Regards

Former Member · ‎08-28-2012

Rusheek,

tx states for Transaction. Are you in charge of the system security of the system?. If not, just send the requirement to the security team. You have to create/change roles to solve your problem as mentioned above.

Cheers,

Diego.

former_member184509 · ‎09-06-2012

Ok ,thanks

Former Member · ‎08-26-2012

Hi Rusheek,

Create a new role with ZRIE T-Code and assign to the set of user ID's who need (6 Require Users)

List out the roles which has VA01 and ZRIE T-Codes and remove the t-codes from the Roles,

Regards,

Lokeshwar.

Former Member · ‎09-12-2012

Creating a new Role for each Z* transaction is also a good idea, however it would increase the number of roles.

Former Member · ‎09-12-2012

Creating a new role for each Z transaction is a terrible idea. Z transactions should be integrated into your standard role design as any other transaction should be. If a design has only 1 transaction per role (RRMX not included) then the designer should find another career path immediately

Former Member · ‎09-18-2012

Not really, my friend.

The new interfaces requirement comes out for every modules and business many many times does not want to give out all the customized interfaces with standard roles but like to be very very selective in assigning the Customized interfaces, specially in HR modules due to the sensitive data.

Former Member · ‎09-18-2012

You are still going to shoot yourself in the foot if you want to use single maintanance ABAP PFCG roles for this.

But good luck!

Cheers,

Julius

Former Member · ‎09-19-2012

Sure, in this case may be not, but sometimes you have to create separate roles depending on business requirement.

Take care, Mr Julius.

Former Member · ‎09-19-2012

Nope, we will have to agree to disagree. The principle of a role for each customisation is an awful idea.

As you rightly point out it may be a solution for a very limited number of scenario's but for the majority of use cases custom transactions belong in the standard role build.