Auth group to a table

Similar Messages

• Program to assign auth group to the tables?

  Hi everyone,
  Does anyone of you know if there is a program that I can use to assign the auth group to the SAP std table(in case if I need to) and customized tables. I know I can goto Se54 and assign an auth group there but was hyst wondering if there is a program like RSCSAUTH which we can use for assigning the auth group to the programs.
  Please suggest.
  Thanks,
  Raj

  Hello Raj,
  You donot assign auth. group to tables but rather to the Maintenance Generator.
  I think SAP will not provide any std. program for this.
  Maybe other SDNers have some better ideas to share.
  BR,
  Suhas

• List of Auth Group Sorted By Modules needed.

  All
  I have been trying to create the Display Roles for
  FI
  SC
  HR
  modules
  I need to add the Auth Group for S TABU DIS.
  Can someone please tell me if there is any link out there
  that has the Auth Group SORTED by Modules (FI SC HR etc)
  Thanks,
  From
  PT.

  I am not aware of any specific table which holds the table group : module link, other than the naming convention of the table groups and of course correct assignment to tables. So, you could try by sorting TDDAT on field CLASS.
  Take note that the transaction and master data tables (indexes) of the modules typically do not have auth groups assigned, and are therefore replaced by a symbolic group '&NC&'. I don't think it is possible or desirable to assign auth groups to all tables for display purposes, and then still split them into modules. Basis folks can become irritated when people browse VERY large indexes. Business owners as well when they realize that these roles can bypass all their application and org controls to protect their data.
  Cheers,
  Julius
  PS: I see 41 unresolved questions. 9 are no longer outstanding.

• Changing auth group of a SAP standard Table

  I was wondering if someone could advise what the implications are if I changed the auth group of a SAP standard table (PA0033). 
  Does it affect programs behind the scenes, support packs, upgrades?

  I am not aware of any reason why an authorization group on a SAP standard table should not be changed.
  I have also seen this done for specific infotypes without any problems.
  See the documentation on transaction SUCU and SE54, and SAP notes and some of the discussions here on them.
  Kind regards,
  Julius

• SAP tables with &NC& Auth Group.

  In SAP there are about 7000 plus tables with &NC& Auth Group.
  Are all these tables not financial relevant.
  What is the impact if we change these tables auth group to custom auth groups?

  On their own they might not be finance relevant, but might even be system relevent for that matter.
  &NC& means "Not Classified" hich should be understood as "no intention to display and or change them from the application layer" as their single fields on their own are not usefull or inconsistent.
  The bugger is that if developers don't understand this and security folks don't respect it, then because of one single table you might open access to all other unclassified tables (depending on how they are designed in the Data Dictionary and how they are accessed).
  I have seldom seen a SAP system which got this right, primarily because of the developers (also the ones from SAP).
  Yes, you can change the groups is SE54. But report it to SAP and keep track of which SP level introduces the new check value. Try to obtain that information from them in advance if you need to, and check that it is conceptually consistent with your concept (minimum requirement is that it should not be conceptually inconsistent with other SAP standard concepts).
  If this is a topic for you and delivery classes also play a role, then also search OSS for the term "Current Settings". These give you more options - for specific objects.
  Cheers,
  Julius

• Creating a auth group

  Hi,
  I want to restrict access for a user in such a way that he sees only the following tables.
  AGR_define
  TSTC
  USOBT
  All these tables come under the auth group SA, SS or SC which is SAP delivered. Now if I give any of these auth groups, then the user will have access to all the tables within this authorization group. I tried to create a new auth group in SE54 and when i tried to assign the auth group to one of the SAP standard table, it would not let me do it. It gives the following error message ' choose the key from the allowed namespace'
  Is there any way to restrict access to a few SAP standard tables?, thanks in advance
  regards,

  I guess you'll give acces via transaction SM30 or SE16 ? If restricting on auth group is not enough you can try to make a 'transaction variant'. Start transaction SHD0, than you will go through the transaction and after each screen you'll have the possibility to choose what you want to see, with or without context,...So in transaction SM30 you can choose to skip the first screen and with the new transaction the user won't be able to change the table.  You can afterwards assign a transaction to the variant, put this transaction in a role and assign the role to the user. The user will be able to start transaction SM30 but will go directly to the second screen, so he will not be able to put another table in the selection screen.
  When the user is allowed to only those 3 tables you have to create 3 transaction variants. This is a quick explanation, but If this is usuable you'll probably have more info on searching on transaction SHD0

• How to get list of Users under an Auth Group (for executable Programs)?

  Hi experts.  I have a requirement to get a list of all users under a particular Auth Group for Program Objects.
  Goal of this requirement is to identify the users allowed to use/access a program - we're doing some sort of Program Inventory and we'd like to identify the users per program, via the Auth Group. 
  So question is:  Which tables hold data about Program <-> Auth Group <-> Users, and how are they linked?
  I know this is Basis/Security stuff, but I was thinking of developing a report program to output the information needed.
  Thanks in advance.
  Edited by: George Esquerra on Nov 17, 2011 10:24 AM

  This is available in the standard via tx SUIM - user - users by complex selection criteria - by authorization values.
  If you enter auth object = S_PROGRAM and value = auth group, you will get the list of users.
  You can analyse how this program finds the information and incorporate it into your own logic.
  Thomas

• Restrict posting period only a limited set of users using Auth Group

  Hi all,
  Can someone help me in restricting posting period to only a limited number of users?
  Currently OB52 settings look like below:
  From Per.1  Year  To Period           From per.2   Year    To Period
      7                 2009         8                          8              2008            8
  My requirement is:
  I want to only few users to post in the 7th period and all others to post in the 8th period.
  I know this can be done via authorization group: Can someone please help me with the steps invloved in solving the same?
  Thanks in advance
  Sidharth
  Basis Administration

  Hi Alex,
  Thanks for your response!
  I have added F_BKPF_BUP object manually in the test role and assigned 0002 auth group in it.
  I have created auth group 0002 and assigned table T001B in SE54.
  Auth group 0002 is then assigned in the OB52 at the last column. This should restrict the posting for period 1 which i need to restrict for some users.
  Now as per the logic, if we dont assign any auth group, users should not be able to post for that period. But in my case user is able to post successfully via F-02.
  Please help me as we need to implement this before month end.
  Many thanks for your valuable help!
  Thanks
  Sidharth

• Restricting SM30 via auth. groups, any flaws in thinking?

  Hi,
  I got a request to assign SM30 to a role as table J_1IEWT_ACKN_N needs to be maintained monthly. I checked an earlier thread regarding this table, and in this case maintaining table in DEV + transport is also not accepted.
  This role also includes other table maintenance activities (period opening/closing, exchange rate maintenance), but for these SM30 is not required. As this role would now include SM30, it would possibly grant access to quite a bunch of tables (through S_TABU_DIS, DICBERCLS values KC and FC31).  User with this role would not have any other roles.
  I created a Zxxx-authorization group in SE54, assigned it to the J-table and then included this auth group to S_TABU_DIS object.
  As this role only needs access to a few tables, I was thinking of changing the authorization group assignments of these tables from KC/FC31 to Zxxx and then giving only DICBERCLS value Zxxx to the role.
  Does this sound like a reasonable solution? Can I just change the auth group assignments of the tables in SE54 or does this have any consequences that should be acknowledged and that I'm not aware of?

  You should try to find an existing group which contains data with the same classification as this one, and use SE54 to assign the value to it. Possibly, if the correct set of users are already classified for that group then you don't need to change anything inthe roles.
  If nothing which already exists matches the classification of the data, then classify it yourself by creating the Zxxx group and assign it via Se54.
  If Z-groups already exist, as for the documentation on the concept so that the one you create or use is conform with the intended concept and naming conventions.
  There is nothing wrong with a Z-table authorization group.
  Cheers,
  Julius

• Application area for the Auth Group

  Hi All,
  I want to create an authorization group, and make sure that this should work for every program where I will put it ir-respective of the application of the program...i.e I should have an ability to assign to the FI,HR and all other programs. So can you please tell me under which application should I create this Auth Group using table TPGP.
  Thanks,
  Rajeev

  Hi Rajeev,
  It is not required that you assign the authorization group to any application. The application has a documentary purpose only. However, if you still want to assign your authorization group to a program, just ignore the warning message when editing the attributes of the program and save your entry.
  Cheers,
  Shahram

• SCU3 Activity 02 on S_TABU_DIS Auth Group SA?

  Hi,
  We recently moved from EHP5 to EHP7 and an additional check is done when using transaction SCU3 for S_TABU_DIS / Group SA / Activity 02.
  We have 2 Z tables maintained by our data team; 2 Z transactions allows for the table maintenance via SM30; both tables have been associated to a Z authorisation group.
  Since EHP7 has been implemented we can no longer view the log on these tables.
  SU53 and traces are listing the need for S_TABU_DIS Activity 02 for the SA Auth group; that group is created by SAP and covers quite a few other tables; I have tried to limit the access to the log table DBTABLOG via S_TABU_NAM but it is still not working.
  I can't understand why activity 02 should be required at all in that scenario and can't find any related OSS Note.
  Has anyone come accross a similar issue. I am not sure why a change activity shoudl be required when I only want to display the change log.
  thank you
  Coco

  Hi,
  are you sure that missing authorization for DBTABLOG is causing your issue? It is checked because you can delete logs in SCU3. Hence it has to check for 02 - change. It should not get checked when you only want to display logs. Have you tried to debug this transaction and see what's going behind?
  Cheers

• What is &NC& auth group?

  What does mean &NC& auth group?

  Hi Gautam,
  Strictly speaking, it will not default the authorization group on the table to &NC&, but rather, when the user has access to standard table display / maintenance transactions (SM34, SM31, SM30, SE16, N, SE11, SE17, etc), the program will make an authority-check against '&NC&' IF the table has not been assigned to a table group (S_TABU_DIS authoritation group).
  This effectively groups all tables without an authorization group into a symbolic group (for the purpose of table display and possibly even maintenance, though the latter would not make sense...).
  Cheers,
  Julius

• Maintaing Tax Groups in the Table CRMC_TAX_GROUP

  Hi All
  In order to download Materials from ECC to CRM2007 via Middleware, I need to maintain the Tax Groups in the Table CRMC_TAX_GROUP and then assignt the Tax Types to the ECC Tax Classifications.
  However, I am unable to add entries to the table CRMC_TAX_GROUP either through SE16 or SM30.
  I am only able to run the report in Data Browser (SE16) in display mode. When I try to maintian the table using sm30, I get the following Exit Message:
  Check maintenance object CRMC_TAX_GROUP or update
  function group CRM_PRSALESTAX_C
  I request your help and suggestions in this regard.
  Thanks in advance.
  Regards
  Chaitanya

  Hi,
    You can maintain that table using a maintainence view 'CRMV_TAX_GROUP' in sm30.
  Thanks
  Swagatika

• Difference between the Field Group  and Internal Table.

  Hi all,
  Can anybody tell me the difference between the Field group and Internal table and when they will used?
  Thanks,
  Sriram.

  Hi
  Internal Tables: They are used to store record type data in tabular form temporarily in ABAP programming. Or we can say, it stores multiple lines of records for temporary use in ABAP programming.
  A field group is a user-defined grouping of characteristics and basic key figures from the EC-EIS or EC-BP field catalog.
  Use
  The field catalog contains the fields that are used in the aspects. As the number of fields grows, the field catalog becomes very large and unclear. To simplify maintenance of the aspects, you can group fields in a field group. You can group the fields as you wish, for example, by subject area or responsibility area. A field may be included in several field groups.
  When maintaining the data structure of an aspect, you can select the field group that contains the relevant characteristics and basic key figures. This way you limit the number of fields offered.
  Regards
  Ashish

• Auth Group for Accounting Doc and Account authorization for  Vendors

  Hi guys,
  I have question regarding Accounting Doc for Vendor and G/l Account.  I have a security client whree I build my business roles for end user but we we configuration client where all the functional focus wokring and doing configuration.  My questiion when I start creating business roles  and start going  into these authorization objects and filling up the field values (F_BKPF_BEK, F_BKPF_BES,  F_BKPF_BLA).
  I won't  see auth group that will be c reated by functional  cocus because they are working on configuration Client and they probably create auth group for above authorization objects in Config lcient and I'm building Roles in my security client. 
  If it is true what would be the best way to create business role.  I'm in realization face of the project  Should I build my roles in Config client?   Please advise.
  Thanks in advance
  Faisal

  What is the benefit of a "security client" in DEV? I don't get it...
  You anyway need to protect the namespace... and the authorizations for role development (SU24) and admin (PFCG).
  Anyway, you have closed your question so we can only lick our wounds now
  Cheers and good luck on your project (let is know how it goes if you stick around for long enough to experience a release upgrade...
  Julius