08-18-2011 7:14 AM
Hi,
I need some help in restricting access for FBL1N. The requirement is the user should be able to only display the vendor items for the given opcos. I created a test role for this tcode and maintained the activity for all the auth objects to 03. But still user is able to change the vendor details. When ran trace, it was showing the access to Tcode FB02. but not sure how the test user is getting this access as the test role does not contain FB02 and user does not have any other role. Please advise
Regards
Kavitha
08-18-2011 7:35 AM
Hello,
did you copy the test user from another user? Check if the user has some separate profiles via the tab Profiles in transaction SU01 that are not belonging to a role.
regards
Christian
08-18-2011 11:03 AM
Hi Christian,
Thanks for your response. I did notice that user was assigned SAP_ALL which was the giving the access. It works fine now.
Regards
Kavitha
08-18-2011 9:13 AM
Hi Kavitha,
FBL1N internally calls lots of tcodes and FB02 is one among them. Check the table TCDCOUPLES.
I don't think this restriction is possible only with adding 03 activity for the F_LFA1* and F_BKPF* objects.
If you check FBL1N in SU24, there are a few other authorization objects that are in check state. You need to make them check maintain and further maintain the activites in the individual roles.
However, this may impact on the current roles that have FBL1N transaction code.
Hope this helps!!
Regards,
Raghu
08-18-2011 10:40 PM
Hi Kavitha,
>
> FBL1N internally calls lots of tcodes and FB02 is one among them. Check the table TCDCOUPLES.
>
> I don't think this restriction is possible only with adding 03 activity for the F_LFA1* and F_BKPF* objects.
>
> If you check FBL1N in SU24, there are a few other authorization objects that are in check state. You need to make them check maintain and further maintain the activites in the individual roles.
>
> However, this may impact on the current roles that have FBL1N transaction code.
>
> Hope this helps!!
>
> Regards,
> Raghu
Despite the SAP_ALL removing the authorization problem.... I would like to enquire about this post.
Can you please explain each of the statements you have made and provide some evidence?
If the user has the correct authorizations then they are are wrong and the "check" and "check/maintain" status has no impact on the coding in customer type systems.
Cheers,
Julius
08-19-2011 8:14 AM
Hi Julius,
The FBL1N is calling FD02 tcode internally. The authorization objects F_LFA1* are with CHECK status in FBL1N. I infer that it is giving FB02 maintain access by default and hence recommended to verify and make them CM.
Regards,
Raghu
08-19-2011 9:13 AM
Hi
I remember the FBLxN transactions being in the delivered RAR rulkeset and we had FB02 added to it so that FBLxN were okay so long as the user didn't also have FB02 so I think the user can't access it indirectly (check bypassed)?
FBLxN are purely display without FB02?
Regards
David
08-19-2011 9:24 AM
Hi David & Julius,
I agree. I've just replicated it in my sandbox and you are right.
Thanks!
Regards,
Raghu
08-20-2011 8:31 AM
09-29-2014 3:02 PM