08-25-2012 9:02 PM
Hi Friends
We have a Z transaction code (ZRIE), currently all users having authorization to VA01 also have authorization to ZRIE. More than 100 users have authorization to ZRIE
However, new requirement of the business is only selective 6 user IDs should have authorization to ZRIE.
ZRIE is the clone of VA01 .
Could you pls mention your ideas how we can achieve it ?
Thanks
08-25-2012 9:20 PM
Hello Rusheek,
It's simple if you work at role level. Just search for roles with this transaction and remove it from the roles that are assigned to the people that mustn't have access to it. If necessary, include the tx in other roles, but make sure that those roles are assigned to the right people.
The worse and incorrect approach would be remove it from all roles and create a new role exclusive for it that should be assigned to the 6 required users.
Anyway, if ZRIE is a clone of VA01, why remove the ZRIE and not the VA01??. It doesn't make sense...
There also many ways to solve the issue, like work at development level with validation rules. You can also create a custom authorization object that must be checked in the tx, and later assign it to the correspondind users... and a lot of weird solutions, but the only correct approach is work at role level as I mentioned first.
And... before making any changes, make sure that the business requirement is correct .
Cheers,
Diego.
08-25-2012 9:20 PM
Hello Rusheek,
It's simple if you work at role level. Just search for roles with this transaction and remove it from the roles that are assigned to the people that mustn't have access to it. If necessary, include the tx in other roles, but make sure that those roles are assigned to the right people.
The worse and incorrect approach would be remove it from all roles and create a new role exclusive for it that should be assigned to the 6 required users.
Anyway, if ZRIE is a clone of VA01, why remove the ZRIE and not the VA01??. It doesn't make sense...
There also many ways to solve the issue, like work at development level with validation rules. You can also create a custom authorization object that must be checked in the tx, and later assign it to the correspondind users... and a lot of weird solutions, but the only correct approach is work at role level as I mentioned first.
And... before making any changes, make sure that the business requirement is correct .
Cheers,
Diego.
08-27-2012 11:33 PM
Diego
Thanks for your reply.
Could you pls mention what is tx in your reply? I am not security consultant.
1.For certain business process, we use only YRIE not VA01.
2.This is just to mention that it's not possible to restrict authorization to whole transaction code (VA01 or YRIE), only authorization can be ristricted to certain sales document types through standard role changing method. Just could you pls let me know that my understanding is correct ?
Regards
08-28-2012 2:32 AM
09-06-2012 10:34 PM
08-26-2012 12:54 PM
Hi Rusheek,
Create a new role with ZRIE T-Code and assign to the set of user ID's who need (6 Require Users)
List out the roles which has VA01 and ZRIE T-Codes and remove the t-codes from the Roles,
Regards,
Lokeshwar.
09-12-2012 6:23 PM
Creating a new Role for each Z* transaction is also a good idea, however it would increase the number of roles.
09-12-2012 6:36 PM
Creating a new role for each Z transaction is a terrible idea. Z transactions should be integrated into your standard role design as any other transaction should be. If a design has only 1 transaction per role (RRMX not included) then the designer should find another career path immediately
09-18-2012 10:04 PM
Not really, my friend.
The new interfaces requirement comes out for every modules and business many many times does not want to give out all the customized interfaces with standard roles but like to be very very selective in assigning the Customized interfaces, specially in HR modules due to the sensitive data.
09-18-2012 10:22 PM
You are still going to shoot yourself in the foot if you want to use single maintanance ABAP PFCG roles for this.
But good luck!
Cheers,
Julius
09-19-2012 1:52 PM
Sure, in this case may be not, but sometimes you have to create separate roles depending on business requirement.
Take care, Mr Julius.
09-19-2012 7:11 PM
Nope, we will have to agree to disagree. The principle of a role for each customisation is an awful idea.
As you rightly point out it may be a solution for a very limited number of scenario's but for the majority of use cases custom transactions belong in the standard role build.