06-26-2007 11:05 AM
06-26-2007 11:18 AM
Hi,
Authorization Gropu is required to restrict access to Reports( thorugh object S_PROGRAM) and also restrict acces to Tables (through object S_TABU_DIS)
<u>For Tables:</u>
- S_TABU_DIS is checked anytime someone looks at data in a table
directly (with one of these transactions - SE16/SE16N, SE17, SM30,
SM31 - or the Implementation Guide).
- S_TABU_DIS has two fields: Activity and Authorization Group.
TheAuthorization Group field is mapped to which tables a user can
access. The mapping is performed in table TDDAT. Table TDDAT
maps the Authorization Group to a list of tables.
You can create a new Authorization Group using Transaction SE54.
<u>For Reports</u>:
You can use the authorization object S_PROGRAM to control the
authorization to execute a program. S_PROGRAM uses the following
fields:
- User Action determines if you can start the program and schedule it to
run in batch mode, and what variants you can use.
- Authorization Group determines which programs you can execute.
The Authorization Group field comes from the authorization group in the
attributes of an ABAP program.
For this authorization object to be effective, ABAP programs must have an
authorization group assigned to them in the attributes of the program. If a
program does not have an authorization group assigned, the system does
not carry our a check for S_PROGRAM. For this reason, you may want to
always assign an authorization group to programs created by customers.
With the RSCSAUTH program, you can assign an authorization group
to all executable programs or to individual programs or program groups.
This ensures effective protection.
Hope it helps.
Please award points if it is useful.
Thanks & Regards,
Santosh
06-26-2007 11:19 AM
Hi,
User groups for authorization is maintained for distributed user maintenance tasks. For example you can make one user administrator can manage users who are assigned to group-1 and group-2 but not the users of Group-3. The authorization is controlled via Authorization object S_USER_GRP.
As per online help:
<b>User Group for Authorization Check</b>
If you assign a user to a user group for the authorization check on the Logon Data tab, you can distribute user maintenance tasks among several user administrators. The system administrator can assign the respective user administrator the right to create and change users in a group. Using the authorization object User Master Maintenance:User Groups ( <b>S_USER_GRP</b>), you can assign user groups to different administrators.
Users that are not assigned to any of the groups, can be maintained by all administrators.
Cheers !!
Satya.
PS: Pls reward points if the answer was helpful..Thx
06-26-2007 11:42 AM