Restrict the tcodes in profile

Similar Messages

• Restricting SCC4 Tcode, from the Role that was extracted from SAP_ALL profile

  Hi,
  Recently we have created a role extracting from SAP_ALL profile. We have deactivated many Basis, and other Critical Tcodes for our Dev & QTY systems by identifying the authorization objects.
  But- for SCC4 we want to know if there is any other way to restrict the access.
  Since we created the role by extracting the profiles from SAP_ALL. S_TCODE has * value, and S_TABU_CLI: has "X" value.
  - problem is we cant deactivate or limit the usage of S_TABU_CLI:X as we have many ZTcodes for direct maintenance, which needs this AO.
  - At the same time, we are trying hard to restrict SCC4.
  So, please suggest if there is any other alternative way to restrict Tcode SCC4, by not being able to run using the New Role.
  Regds,
  Satish.

  First of, let me say that I fully agree with Sunil Bujade. The building block approach is the way to go when designing roles.
  But if we're being practical, you could use authorization groups for tables (T-code SE54) and assign a custom auth. group to table T000. Then use this group to authorize (or actually not authorize) with object S_TABU_DIS.
  Again, this is just a practical tip. The whole "create a role from SAP_ALL" thing is a totally different subject altogether.
  Good luck!
  Dimitri.

• How to further restrict the task profile 'dimension' to selected dimensions

  Hi All,
  We have a dimension which we require users to maintain their own master data. We have used the secondary admin task profile which provides default access to the task 'dimension'. THis allows that user access to the BPC Admin console and also to the dimension to maintain dimension members. However, we wish to limit their access to only certain defined dimensions & not give them access to all dimensions. I have tested using this task profile together with a member access profile to limit the secure dimensions for an application, however my understanding is that member access profiles will not restrict access once a user has logged into the BPC Admin Client...i.e the member access profile restricts the ability to read/write to 'facts'/sign data from a BPC front end tool, EG excel.
  Any ideas much appreciated as to how to acheive this,
  Glen

  Hi,
  As you said for maintaining dimension members, you had to assign a task to the task profile. However, assigning this task will allow the user to modify any of the dimensions.
  You cannot give authorization to allow only selected dimensions. BPC doesnt have this feature. Either the user can modify all the dimensions or none of them.
  Hope this helps.

• Restrict the reources on OIM resource profile

  Hi all,
  Is it possible to restrict the resources that show up on the resource profile.
  I have a requirement where AD administrators should o nly manage their resource.
  Thanks,
  M

  Go to Resource Object and Remove the Allow All check box , it wont show up in resource file for any user
  Also , check the Provision by Object Admin Only
  Thanks
  Regards
  Edited by: Surendra Singh Khatana on Apr 7, 2010 11:39 PM

• How to restrict the authorization to change backgroud configuration

  hello , I copy some users from my admin user which contain the sap_all profile. so these uses can change background configuration.     now,  I want to restrict the authorization that they can only view the background configuration but can not change it .        how can I set this authorization?     Can I change the sap_all profile? how to set it?
  thanks.

  Hi,
  You can copy the SAP_ALL profile to a new name say Z_SAP_ALL and provide display access to all the authorization object and make sure you remove all the critical tcodes in the Z_SAP_ALL profile.
  Once you are done with testing the role assign it to the user.
  Also search the threads in the forum...
  Rakesh

• Restrict the Tab Buttons.

  Hai Gurus,
  I have facing the problems from end users.Transaction Code COR1-Create Process order, users are modifying the maetrials. So i have to resctict the MATERIALS and OPERATIONS tab buttons.
  Kinldly suggest me how to restrict the tab buttons.
  Thanks in advance.
  Shankar G.

  Hi,
  You need to define a user status for this .
    Following is the steps to create a user status and once assigned to order type
    the condition is if a production order is released no changes can be made.
  Goto Tcode BS02
  create a status profile.
  Select the object type PP Production order
  Goto user status.
  In the status enter REL and give description and set initial status tick
  mark
  Double click at Rel status
  goto transaction control ie create mode
  Various radio button will be displayed
  choose change and click radio button against forbidd and save.
  Assign the status profile to order type.
  After releasing the production order changing the qty
  is forbid.
  I think you your problem might have solved.
  Regards,
  nandha

• How to restrict the changes in Relesed PO?.

  Hi all,
  How to restrict the users to make a changes in the Released PO?. User should make the changes only if it is unreleased by the respective codes.
  1. Is there any user parameters like functional authorisation?
  2. I have already suggested two solutions to the clients that
      1. To restrict the authorisation of TCodes ME22n at the user level, but it's not a suitable solution, if user want to make any changes before releasing, then system is not allow to do the changes.
      2. I have made release indicator as a 1 - not changeable if it is released, in release strategy settings. But the system is not allowing the all the users including release codes to make the changes?.
  If there is any solution, please reply immediately.
  with regards,
  Raja.

  hi,
  if u set release indicator 1, after release is taken place, for any changes, u need to revoke the release. and then change the PO.
  even u cant directly block the changes to already released PO, because, in future if at all qty or some changes is required to change, it should allow u to change!

• Org Level, fund center/cost center level restriction for tcodes????

  I am looking to see whether org level restriction and cost center/fund center level restriction is possible for certain set of transactions.
  I am using USOBX table for this analysis. This table has a check flag field ( same as in SU24) which says whether the Tcode (program) does the authority check for certain auth objects. Example- X (checked but not maintained in USOBT). This table pulls up several authorization objects under the 'X' category. However, when I do the System trace for the same tcode, all the objects (marked as X) are not captured. Instead only a few are captured.
  Can we rely on the USOBX data or should we do system Trace for every tcode. I am just pulling a report and not creating roles at this point. So trace is time consuming. But data reliability is equally important.
  My objective is to verify whether org level and cost center/fund center level restriction is possible or not for some tcodes.
  Do you have any suggestion to achieve this faster (through USOBX or any other means)?
  Thanks in advance
  Kee

  I would suggest you to check USOBX_C and USOBT_C instead of USOBX and USOBT as it will have your customization as well and not just the standard ones given by SAP.
  Also when check field is X ...it means the object is checked but not maintained for the t-code as you already said but I am not sure how much it will help you as the they will not be pulled by PFCG when you are creating the role until you change the object to Check / maintain . When you do that the check field will be Y and not X. So basically it is the Y one which you need to see.
  Going for trace is time consuming for every t-code and I am not sure if it really needed. When your roles are in testing phase and are tested by the functional team or the team which needs it and if they are missing some object, you can run a trace and find the missing object....
  I am not sure on what basis you want to change some field to Org level ...but typically it is done if you want to do segregation of roles based on these org level. There could be various other reasons and it is better to talk to your functional counterparts before changing a field to Org level.
  for ex : If you want to segregate on company code, you will create co. code as Org level and create roles for different company code.

• How to restrict the upload file size in me21n/me22n/me23n?

  Hi Guru's,
  I have a requirement to restrict the user from attaching a local file more than 20MB in Purchase Order.
  In standard SAP system, the user can attach a file of any size in PO. How to restrict the size of the file?
  I have no clue how to achieve this? Any kind of help would be great...
  Thanks in Advance...
  Regards,
  Satyam

  Hi Guru's,
  The file size is now restricted in function GUI_UPLOAD. But this function module is used at many places. I want to restrict it only for Tcode: ME22n and ME23n.
  I thought of restricting it by sy-tcode field but sy-tcode value  is not passed to this function module in the run time.
  Could anyone help me on this how to restrict it for the above mentioned tcodes??
  Regards,
  Satyam

• Restrict the user   based on document type on migo transaction-prepare GRN

  Hi,
  We are running ECC6.0 R/3 system.We had a requirement as follows
  In MIGO transaction , we want to restrict the user on document type i.e. we want that a particular user can  prepare GRN for document type  STO only. He cannot prepare GRN for other document type.
  We checked  SU24->maintain check indicators for transaction codes->enter migo->execute->check indicator.This returned us the authorisation objects present in Migo transaction.We checked the help of all these objects,but none of them we found suitable for above mentioned requirement.We were planning to find out the proper authorisation object to add to Profile generater.
  The following is the objects which we have checked for.
  A_B_ANLKL-->     Asset Postings: Company Code/Asset Class
  A_B_BWART-->     Asset Postings: Asset Class/Transaction Type
  B_USERSTAT-->     Status Management: Set/Delete User Status
  B_USERST_T-->     Status Management: Set/Delete User Status using Process
  C_AFKO_AWK-->     CIM: Plant for order type of order
  C_CACL_DSG-->     Interface Design
  C_DRAW_BGR-->     Authorization for authorization groups
  C_DRAW_DOK-->     Authorization for document access
  C_DRAW_TCD-->     Authorization for document activities
  C_DRAW_TCS-->     Status-Dependent Authorizations for Documents
  C_KLAH_BKP-->     Authorization for Class Maintenance
  C_STUE_BER-->     CS BOM Authorizations
  C_STUE_WRK-->     CS BOM Plant (Plant Assignments)
  C_TCLA_BKA-->     Authorization for Class Types
  C_TCLS_BER-->     Authorization for Org. Areas in Classification System
  C_TCLS_MNT-->     Authorization for Characteristics of Org. Area
  F_BKPF_BUK-->     Accounting Document: Authorization for Company Codes
  F_BKPF_BUP-->     Accounting Document: Authorization for Posting Periods
  F_BKPF_KOA-->     Accounting Document: Authorization for Account Types
  F_FICA_FOG-->     Funds Management: authorization group of fund
  F_FICA_FSG-->     Funds Management: authorization group for the funds center
  F_FICB_FKR-->     Cash Budget Management/Funds Management FM Area
  F_KNA1_APP-->     Customer: Application Authorization
  F_LFA1_APP-->     Vendor: Application Authorization
  F_SKA1_BUK-->     G/L Account: Authorization for Company Codes
  G_GLTP  -->       Spec. Purpose Ledger Database (Ledger, Record Type, 
                                 Version)
  J_1IDEP_SL-->     Authorization object for depot sale transaction
  J_1IEXC_OT-->     Authorization object for Other Excise Invoice Create
  J_1IEX_PST-->     Autorization object for posting Other Excise invoice
  J_1IGRPT1-->     Auth. for PART1 at GR
  J_1IINEX  -->            Incoming Excise Invoice
  J_1IRG23D-->     Authorisation object for Depo Transactions
  K_CCA-->                     CO-CCA:  Gen. Authorization Object for Cost Center 
                                  Accounting
  K_CSKS     -->                CO-CCA:  Cost Center Master
  K_CSKS_SET-->     CO-CCA: Cost Center Groups
  K_PCA-->                    EC-PCA: Responsibility Area, Profit Center
  L_TCODE-->                    Transaction Codes in the Warehouse Management System
  M_ANFR_BSA-->     Document Type in RFQ
  M_ANFR_EKG-->     Purchasing Group in RFQ
  M_ANFR_EKO-->     Purchasing Organization in RFQ
  M_ANFR_WRK-->     Plant in RFQ
  M_BEST_BSA-->     Document Type in Purchase Order
  M_BEST_EKG-->     Purchasing Group in Purchase Order
  M_BEST_EKO-->     Purchasing Organization in Purchase Order
  M_BEST_WRK-->     Plant in Purchase Order
  M_MATE_CHG-->     Material Master: Batches/Trading Units
  M_MATE_STA-->     Material Master: Maintenance Statuses
  M_MATE_WRK-->     Material Master: Plants
  M_MRES_BWA-->     Reservations: Movement Type
  M_MRES_WWA-->     Reservations: Plant
  M_MSEG_BMB     -->Material Documents: Movement Type
  M_MSEG_BWA-->     Goods Movements: Movement Type
  M_MSEG_BWE-->     Goods Receipt for Purchase Order: Movement Type
  M_MSEG_BWF-->     Goods Receipt for Production Order: Movement Type
  M_MSEG_LGO-->     Goods Movements: Storage Location
  M_MSEG_WMB-->     Material Documents: Plant
  M_MSEG_WWA-->     Goods Movements: Plant
  M_MSEG_WWE-->     Goods Receipt for Purchase Order: Plant
  M_MSEG_WWF-->     Goods Receipt for Production Order: Plant
  M_RAHM_BSA-->     Document Type in Outline Agreement
  M_RAHM_EKG-->     Purchasing Group in Outline Agreement
  M_RAHM_EKO-->     Purchasing Organization in Outline Agreement
  M_RAHM_WRK-->     Plant in Outline Agreement
  Q_TCODE     QM -->         Transaction Authorization
  S_ADMI_FCD-->     System Authorizations
  S_ALV_LAYO-->     ALV Standard Layout
  S_BDS_DS-->     BC-SRV-KPR-BDS: Authorizations for Document Set
  S_BTCH_ADM-->     Background Processing: Background Administrator
  S_BTCH_JOB-->     Background Processing: Operations on Background Jobs
  S_CTS_ADMI-->     Administration Functions in Change and Transport System
  S_DATASET-->     Authorization for file access
  S_DEVELOP-->     ABAP Workbench
  S_DOKU_AUT-->     SE61 Documentation Maintenance Authorization
  S_GUI-->                     Authorization for GUI activities
  S_OC_DOC-->     SAPoffice: Authorization for an Activity with Documents
  S_OC_ROLE-->     SAPoffice: Office User Attribute
  S_OC_SEND-->     Authorization Object for Sending
  S_PACKSTRU-->     Internal SAP Use: Package Structure
  S_PRO_AUTH-->     IMG: New authorizations for projects
  S_RFC-->                     Authorization Check for RFC Access
  S_SCD0     -->                Change documents
  S_SPO_DEV-->     Spool: Device authorizations
  S_TABU_DIS-->     Table Maintenance (via standard tools such as SM30)
  S_TCODE     -->                Transaction Code Check at Transaction Start
  S_TRANSLAT-->     Translation environment authorization object
  S_TRANSPRT-->     Transport Organizer
  S_WFAR_OBJ-->     ArchiveLink: Authorizations for access to documents
  V_LIKP_VST-->Delivery: Authorization for Shipping Points
  V_VBAK_AAT-->Sales Document: Authorization for Sales Document Types
  V_VBAK_VKO-->Sales Document: Authorization for Sales Areas

  Have you executed a trace while a functional user executes the transaction code for the specific parameters? (i.e. document type). The trace will then show which objects are being checked; then look at the object documentation in txn Su21 to determine if there are any ways to restrict on the particular value; in some cases, if the authorization group field is being checked, additional configuration is needed in order to implement the security (Su21 will explain in detail for the particular object).

• How to restrict the user from making any changes in Sales order- item level

  Hi to all
  How to restrict the users from making any changes in sales order at item level if the same sales order is released by senior user through status profile.
  Regards
  Anish Parikh
  Edited by: anish parikh on Jan 24, 2008 5:16 AM

  Hi Anish,
  This can be achieved through the roles and authorization.
  This can be done through the basis team. they can create user profiles and roles.
  For the roles they assign some transaction codes so that they can view the only assigned tr. codes.
  Like that ur requirement can be done.
  Also u can prevent the user to change any fields in the sales order screen (VA02). for that please modify the authorisations.
  Hope i answers.
  Reward points if useful.
  Edited by: kaleeswaran bhoopathy on Jan 24, 2008 9:57 AM

• How to restrict executing tcodes in transaction tab for master clients

  This question applies SOLMAN project implementation tools: SOLAR01, SOLAR02 and so on.
  Our ERP2005 development U50 system has two clients:
  One is master client 101 where all customizing should take place  but no transactions are allowed
  second client 102 works as sandbox client where new customizing can be test and master data and transaction are allowed.
  Only U50/101 is defined in Solution manager SMSY in system role 'development system'. Currently U50/102 is not defined in Solution manager to any system role at all.
  As configuration should take place via Solution manager,  the consultants use SOLAR01 and SOLAR02 in system role 'development system' meaning that they are connected to U50/101 if want to execute transactions in transaction tabs or IMG nodes in Configuration nodes.
  But U50/101 is our MASTER client and no transactions nor most master data are allowed in there. We want to keep it clean. How can I avoid tcodes being executed in system role 'development'. I want to allow consultants use tcodes if they change to system role 'quality system'. But they might forget to change the system role before executing the transaction.
  Is there an option in Solution manager Project implementation tools that do not allow tcode launch from transaction tabs when system role is 'development system'.
  Of course I can restrict tcode execution with authorizations in satellite systems, but then I would need to disable authorizations for each tcode possibly being used. So I don't like that option.
  br: Kimmo

  Okay, I'll continue dialog with myself. I found solution how to assign other clients on one system to other system roles, which are so-called 'customer roles'.
  See solution manager help:
  http://help.sap.com/saphelp_sm40/helpdata/en/3b/8be61c54d22945837fd69861d21a08/content.htm
  I did not know until know, that system roles are actually customizable. The roles with letter P,D,C,T,E, etc. are reserved for SAP but you can create your own system roles into table SMSY_ROLES. You would not do it with SM30, but from tcode SMSY and following menu Utilities-System Settings->tab:System Roles. Switch to change mode. Roles with 0-9 are available for "customer roles". Choose role type and write your own description ( like: Sandbox client in development system ).
  Now the new role is available in SMSY. But You cannot see it yet in SOLAR_PROJECT_ADMIN/System Landscape tab. In there you must press button 'System role assignment' and in the opening window add your own 0-9 role defined earlier and save. Now you see your new role in 'system landscape' tab and you can assign systems to it like you had done with SAP standard roles.
  Now users using implementation tools can change their current system role to your new 'customer role'.
  But what it comes to my original problem (see title), that still remains. I have debugged the tcode execution from transaction tabs and don't see any possible way to avoid tcodes being executed for an unwanted system role. An Enhancement Spot ( =new BADI) can of cource be used for making custom rule for my requirement.
  I'll make this thread answered. Hope you joined my self-dialog.
  Keywords: DEFINE EDIT SYSTEM CUSTOMER ROLES SMSY_ROLES
  br: Kimmo

• I still use Aperture 2.1.4.  I need to export an image file with a CMYK profile.  Whereas a generic CMYK profile is listed in ColorSync Utility, it does not appear on the list of profiles in the edit portion of the export preset dialogue.  Help?

  I still use Aperture 2.1.4.  I need to export an image file with a CMYK profile.  Whereas a generic CMYK profile is listed in ColorSync Utility, it does not appear on the list of profiles in the edit portion of the export preset dialogue.  Help?  Is there some way to add the CMYK profile to the list of choices that are available in the export preset dialogue such that I can choose it?

  leonieDF
  Thanks for your response.  My profiles are located within color sync utility as you can see here:   
  These profiles do not respond to clicking and dragging.  Since they are all in one place, more or less, I'm reluctant to make further attempts to relocate them.  Accessing the CMYK profile is the first difficult experience I've encountered with this arrangement.  I have never needed the CMYK profile until recently, and that need has now past.  However, it remains a mystery to me as to why it does not appear with all the others on the menu of export choices in Aperture 2, or on the menu of profile assignment choices in the Preview application (where again all the other profiles are listed as choices).  I'm beginning to think my current set up will permit me to view an image that was created in CMYK space, but does not easily assign, or convert to that space.  I don't face these restrictions with all the others, so it remains a curious circumstance for me.  I anticipate upgrading my computer and software in the near future which might alleviate this issue altogether.  Again, many thanks for your attention to this matter.  The reach of this community is astounding.

• Defining Authorizations for User to restrict the data in report.

  Hi Gurus,
  I have no idea on authorization concept in BI. Please give me anyone steps to creating authorization objects, roles and profiles to restrict the data for users.
  Ex.
  i have functinal location info object checked as authorization relavent with below data.
  FL001
  FL002
  FL003
  FL004
  FL005
  FL006
  FL007
  FL008
  FL009
  We have users like below.
  User1
  User2
  User3
  Now, if User1 is analysing a report he can see only FL001, FL005, FL009 only, remaining have to be omited.
  If User2 is analysing that report he can see only FL002, FL003, FL009. And like wise.
  So, Please help me providing the completed steps. I have done somting but failed.
  Thanks in advance
  Peter.

  Hello Peter,
  Please go through the following links
  Authorization :
  http://help.sap.com/saphelp_nw70/helpdata/en/59/fd8b41b5b3b45fe10000000a1550b0/frameset.htm
  SAP Authorization Concept :
  http://help.sap.com/saphelp_nw70/helpdata/en/52/671285439b11d1896f0000e8322d00/frameset.htm
  Thanks.
  With regrads,
  Anand Kumar

• How to restrict the FBL5N (user wise restriction)

  Hi experts
  I want to restrict the FBL5N TCODE user wise.
  In FBL5N one parameter is there Serch Help ID In serch help id when we select Customers per sales group
  we see Sales office and Sales group .If we select sales grop and execute it report gives op under sales group.
  My requirment is restrict the sales group or sales office for user wise.(if 5 sales office and 3 user id is there then,i want to give one user id for 2 sales office  and if enter another sales office then he cant show the data)
  THANKS
  AJAY.

  Hi Ajay,
  I am not quite sure if it is recommended to tweak standard elementary search help. However, I would suggest you to create your own search help and attach it to the standard collective search help as an append search help.
  You can write what so ever logic the business demands in that custom search help exit there by restricting the entries that gets displayed as a result of value help.
  Hope this gives you a brief idea on how to proceed.
  Regards,
  Hemanth