i to make a role for functionals except basis tcodes. for this i am going to make a role (zsample), copied sap_all profile, disable Basis Objects (BZ_A, BC_C, BC_Z) and assigned it to them.
can u tell me the procedure for disabling auth objects
Edited by: Ramesh Sammiti on Mar 17, 2008 8:17 AM
If you are 4.6c machine then you will find a profile with name SAP_ALL_DISPLAY and you need to take care of some S_* objects and K_* objects which have activities other than 03.
Other option is to restrict the BZ_A, BC_C, BC_Z class objects with only display activity.
There are many posts on this issue.
If you need further help then follow the link.
BC_C, BC_Z are basis classes in which you will find many basis objects like S_USER_AGR(needed for role check), i dont suggest you to disable the entire class. Because some of the objects are needed for users for normal operations like display.
So what you can do is
1. Decide which tcodes you want to assign to the role annd restrict on tcode level itself, i.e restricting the activity to 03 in pfcg for related objects.
2. Give SAP_ALL to the user and make sure you restrict each object of class BC_C, BC_Z on their activity.
You can find many posts on these topics.Do an intense search.
Yes Alex i mean copy of SAP_ALL and restrict it only to display.
Ramesh other option with you to make a list of all the Tcodes and related objects(tcode related objects can be obtained from su22 or su24) needed by the funtional team and create a matrix out of it.
Unique Auth Object
Authorization Value Low
Authorization Value High
This is manual job and takes time. But by maintaining a matrix you will get the job done perfectly, and you can impose restriction in an effective way.
Go to the role in change mode (transaction PFCG).
Under the 'Authorizations' tab, under 'Maintain Authorization Data and Generate Profiles' go to 'Change Authorization Data'.
In the profile, whichever authorization object you want to deactivate, click on the small rectangle icon (with a small red rectangle on the side) just besides the authorization object name. This will cause the authorization object to be inactive.