8 Replies Latest reply: Mar 17, 2008 6:07 PM by Neha Bhardwaj RSS

disable the authorization object

Ramesh Sammiti
Currently Being Moderated

hi

 

i  to make a role for functionals except basis tcodes. for this i am going to make a role (zsample), copied sap_all profile, disable Basis Objects (BZ_A, BC_C, BC_Z) and assigned it to them.

 

can u tell me the procedure for disabling auth objects

regards

ramesh

 

Edited by: Ramesh Sammiti on Mar 17, 2008 8:17 AM

  • Re: disable the authorization object
    Gautam Poddar
    Currently Being Moderated

    I would suggest that you disable Basis Tcodes instead of objects

    In object S_TCODE use the "From and To "

     

    e.g. to restrict all Tcodes from DB01 to DB20 use this:

    From and To

    0*      -       DB00

    DB21   -     Z*

     

     

    To disable objects, simply click on the Deactivate option for that Object.

  • Re: disable the authorization object
    Rakesh Kulkarni SP4Z121A5680
    Currently Being Moderated

    Hi Ramesh,

     

    If you are 4.6c machine then you will find a profile with name SAP_ALL_DISPLAY and you need to take care of some S_* objects and K_* objects which have activities other than 03.

     

    Other option is to restrict the BZ_A, BC_C, BC_Z class objects with only display activity.

     

    There are many posts on this issue.

     

    If you need further help then follow the link.

     

    Security

     

    Rakesh

  • Re: disable the authorization object
    Rakesh Kulkarni SP4Z121A5680
    Currently Being Moderated

    Hi Ramesh,

     

    BC_C, BC_Z are basis classes in which you will find many basis objects like S_USER_AGR(needed for role check), i dont suggest you to disable the entire class. Because some of the objects are needed for users for normal operations like display.

     

    So what you can do is

     

    1. Decide which tcodes you want to assign to the role annd restrict on tcode level itself, i.e restricting the activity to 03 in pfcg for related objects.

     

    2. Give SAP_ALL to the user and make sure you restrict each object of class BC_C, BC_Z on their activity.

     

    You can find many posts on these topics.Do an intense search.

    logging off....

     

    Rakesh

    • Re: disable the authorization object
      Alex Ayers
      Currently Being Moderated
      Rakesh Kulkarni wrote:

      >

      > 2. Give SAP_ALL to the user and make sure you restrict each object of class BC_C, BC_Z on their activity.

       

      Hi Rakesh,

       

      I think you mean a copy of SAP_ALL rather than modifying the actual SAP_ALL profile

      • Re: disable the authorization object
        Rakesh Kulkarni SP4Z121A5680
        Currently Being Moderated

        Yes Alex i mean copy of SAP_ALL and restrict it only to display.

         

        Ramesh other option with you to make a list of all the Tcodes and related objects(tcode related objects can be obtained from su22 or su24) needed by the funtional team and create a matrix out of it.

         

        Eg:

         

        Transactions     

        Unique Auth Object     

        Authorization Fld     

        Authorization Value Low     

        Authorization Value High

         

        This is manual job and takes time. But by maintaining a matrix you will get the job done perfectly, and you can impose restriction in an effective way.

         

         

        Rakesh

  • Re: disable the authorization object
    Neha Bhardwaj
    Currently Being Moderated

    Hi Ramesh,

     

    Go to the role in change mode (transaction PFCG).

     

    Under the 'Authorizations' tab, under 'Maintain Authorization Data and Generate Profiles' go to 'Change Authorization Data'.

     

    In the profile, whichever authorization object you want to deactivate, click on the small rectangle icon (with a small red rectangle on the side) just besides the authorization object name. This will cause the authorization object to be inactive.

     

    -Neha

Actions