Restrict access to transaction PFCG
hi, i want to give only display access to transaction PFCG,can u please give me the steps for that????wat are the transactions i have to use.SAP_ALL role is not added to the user.
regards
renjy
Hi Renjy,
For any transaction code check for the objects in SU24 then check the same in the role and change the activity as per your requirement.
Check for object and activity in the role
for example
Object S_USER_AGR, ACTVT 03 (Display)
If you need further information let me know.
Cheers
Soma
Message was edited by:
soma pradeep
Similar Messages
-
How do I restrict access at the field level in vendor creation XK01
Hello All,
Does anyone know a way to restrict access to a certain group of fields or a screen in vendor create? I know it is possible in vendor change XK02 using the field groups (transactions OBAT and OBAU) but we have a requirement to have one group of users create all vendor information except the bank details and another group of users just to create the bank details.
Thanks for any help you can offer.
rgds,
ianWe have had a similar discussion some while back. please refer to the thread below as it seems to be much similar to your requirement.
[click here|Hide or Encrypt Bank Account Number] -
Restrict access to users in customer line item display FBL5N
Hi all,
We got a requirement from my client that, they want to restrict access of their users to view details of few customers only. The user has a right to view FBL5N transaction code, but he cannot view all customers details.
we created 4 customer account groups,we created like .. SD customers1
SD customers2
Onetime customers
FI customers
These FI customers cannot be viewed by all users except who has authorization in Tcode FBL5N, we need to restrict to display only SD and one time customers details.
we have tried with Basis but its not working and its blocking to view all customers.
anyone got this kind of requirement , Is it possible to restrict....please help me.
Thanks
Nagesh
Edited by: nag on Dec 27, 2011 5:26 PMIt is standard behaviour that the authorization object F_KNA1_GRP(account group authroization) is not checked
in the transacion FBL5N. You can confirm this functionality in trans. SE24.
As a workaround, I would suggest you to use the authorization object F_KNA1_BED Customer: Account Authorization
If you assign an authorization group as the accouting group, perhaps you can get a similar functionality.
Please note that for the 'drill-down' or direct call of FBL5N these objects are checked:
F_BKPF_BLA Accounting Document: Authorization for Document Types
F_BKPF_BUK Accounting Document: Authorization for Company Codes
F_BKPF_GSB Accounting Document: Authorization for Business Areas
F_BKPF_KOA Accounting Document: Authorization for Account Types
F_BKPF_BED Accounting Document: Account Authorization for Customers
F_KNA1_BED Customer: Account Authorization
F_KNA1_BUK Customer: Authorization for Company Codes
Kind Regards
Soumya -
Restrict access for Vendor Master Data
Hi all.
Our company structure is like below:
Single instance, just one mandant.
Company codes like 1001, 3001, 6002, 6006, etc... over the world.
At some companies just the central administration can create vendor for the companies using the transaction XK01.
Now we need to give access to users from one of our company from other country but we can´t give access to transaction XK01 because just the central administration can create the master data for the vendors.
I already read about the object F_LFA1_AEN that is possible to create some field groups and give access just for the rigth groups. I also read that this authorization groups don´t have effect on the vendor master data like address.
How can I restrict access for the vendor master data? I´m thinking to give access to transaction FK01 and MK01 and restrict access for create a new vendor, I only want that the users can create the data for a new company or new purchase organization.
Thank you
Darlei Friedelamong many other authorization objects, you find following three:
F_LFA1_GEN general data
F_LFA1_BUK company code data
M_LFM1_EKO purchasing org data.
If the user does not have authorization for F_LFA1_GEN , then he cannot maintain general data. -
Need to restrict access to XD02/XD03
Hi All,
I need to restrict access to some acct group in the search screens for individuals who do not have access to this account group in transaction XD02/XD03. Other than this group we should not allow to search the screens.
Please guid me if any exit / badi....etc. where i can put this validation.
Thanks.
Raj.Hi,
Try this link...
Customer Master Maintenace - restriction general data tabs
Regards,
Guru -
Restrict access with object F_LFA1_BEK - problem with F4 search
Hello,
we want to restrict access to some vendor accounts, which can be shown with transaction FK03 for example.
There is an authorization object F_LFA1_BEK, which can be maintained in the special vendor accounts in field authorization group.
A user with authorization for vendor account with authorization group ZZZZ in it can see all vendors with authorization group ZZZZ and all vendors with no authorization group. But he can't see vendor accounts with authorization group YYYY. To this point, it's ok.
If the user uses the F4 search help he is able to see the vendor accounts with authorization group YYYY too. And this is the problem - the user should not see these vendor accounts. With this option user is able to see address data of a vendor account he should not see.
Is there any possiblity to solve this problem?
Regards,
JuliaI don't know the current status, but this is being looked into generally as it is not only limited to the F4 on LFA/B/M1.
As you only access the name and some attribute data which you can display, it is not necessarily critical and there is no transaction data involved.
Good news is that the BAPIs for search help make these same granular checks which you are expecting.
If I hear something further about these developments I will let you know.
Cheers,
Julius -
FERC Code of Conduct - Restricting access for employees
hello - I am project lead for an effort to separate market and transmission data from certain employees in our company. I'm finding this to be a monumental task, since we have a large SAP implementation. FI/CO, MM, HR (postion-based security), Customer (IS-U-CCS), PM, PS, xRPM. We have implemented SOD for SOx compliance, but this is an entirely different effort. Unlike SOx, we need to totally restrict transactions that could contain non-public market and transmission data, so we need to separate the data behind the transactions. Does anyone have experience with this? Would love to hear what approach you took and swap ideas.
Annette M Alboreo, FirstEnergy Corp.Hi Annette,
First of all, good luck! Data segregation is always a tricky one to manage and needs to be carefully thought out. This sort of activity has a large security and functional overhead and you need to make sure you have access to them.
When I've worked on this sort of thing in the past, there are a few things that you need to identify
- What data is sensitive? The business should ID <b>all</b> sensitive data and the functional team translate that into fields etc. What data needs to be legally segregated, what data is nice to have segregated. A set of rules should be drawn up to say who get's what in which circumstances.
- How are people accessing data? What transactions give access to sensitive data? Standard SAP tx, custom tx (which may need auth checks changing), access to SE38/SA38, SQ01, SQVI etc. All of the routes to the data need to be identified.
Once it is known what data needs to be restricted then it is possible to address how to restrict access to it. A reasonable amount of it should be able to be catered for in the standard auth concept. It's also likely that there will be the requirement for additional config & customising (e.g hide fields, change screens, user exits) to meet these new control needs. I think it goes without saying that the more that you can fix with the standard auth concept, the easier it tends to be. If this means removing some transactions from users then in some cases it may be less costly than knocking up a whole load of custom code to solve the problem - of course this is dependent on the situation.
Hope that is of some use
Cheers
Alex -
Restricting Access in Solution Manager by Business Unit?
Hi Experts
We are currently in the process of upgrading our Solution Manager to 7.0 EHP 1. Business wants to restrict access in Solution Manager by business unit. Is this possible? Is it possible to create derived roles which restrict on buisness unit without having to custominze? If it is possible which object needs to be maintained? I'm already aware of restricting access by project using S_Project but this still allows users to view other projects. The requirement is that users only view projects for their business unit.
Please advise experts.Hi There,
I dont see any reason why you cannot acheive your objective in SolMan, You should be able customize views per business under SPRO_ADMIN and derive required view with in PFCG role separated by business.
Yes, You can also do derived roles concept in Solman and restrict by Org Units.
Guys - Do you differ from my opinion?
-AJ
Edited by: AJ on May 19, 2010 3:47 PM -
Restricted access to nodes in SOLAR01
Hi
I have setup restricted access to the nodes in SOLAR01 (details shared below in the for "information area") - now I need to enter the team members who are allowed to update documentation in each business process & step.
It seems that access to a higher level node is not inherited by the lower level nodes so I have to update each business process & step individually.
This is going to be a mammoth task that will need to be repeated every time a new team member joins - is there a mass update function avaialble or perhaps a way to cause the lower level nodes to inherit the team member access of its parent?
regards
Marina
For information
To set up restricted access I did the following for standard project users;
1. In transaction SOLAR_PROJECT_ADMIN, edit your project and go to tab "Proj. Team Member'
Check the box "Restrict changes to nodes in project to assigned team members
(make sure you have assigned your team members in the grid)
2. Make a copy of SAP_SOLAR01_ALL role into the customer namespace and make the following changes
S_PROJECT
ACTVT = 03,23,71,76
also set your project ID
S_PROJ_GEN
project ID = your project
proj_func = SCEN
S_DATASET
actvt = 33,34
add in S_IWB
ACTVT = 01,02,03,33,6,80,D1,V1
IWB_AREA = IWBSOLAR
IWB_EXTNSN = /KWCUST/
IWB_FLDGRP = your project
AI_SA_TAB
remove PRODATA from TABNAME (for administrators who should be able to edit everything create an auth with this made available).
Any other entries I have not specifically mentioned I have given them a * value.Hello,
If you want the team member to be inherited along the lower nodes you have to use button "Make Mass Changes"; access the higher node, go to "Administration" tab, then "Team member" tab, then use the fourth button "Make mass changes" to add a team member, after that, it will be inherited along the lower nodes.
I hope that hleps!
Best regards,
Federico. -
Authorization restriction for BP transaction
Hi,
We need to restrict the BP transaction access to user in the below mentioned way in our SRM system.
1. Restricting BP access to all the users with display access.
2. Restricting BP access to security users with create, change and display access.
What is the main object for BP transaction for restricting access in the above mentioned scenarios?
Here, we have observed one more issue like....
Let say object-B_BUPR_BZT(not sure) is a main object for transaction-BP. If we restrict activity to 03 in that object, it will give display access when we are executing transaction-BP.
Some of other transactions(like PPOMA_BBP) are there in SRM, those are also maintaining same object with all activities(create,change,Display).
In this scenarios, how the above mentioned restriction is going to help the user.
Please check and advice in this.
Thanks & Regards,
KKRao.> Let say object-B_BUPR_BZT(not sure) is a main object for transaction-BP.
It may be a "main object" for BP, but that doesn't tell you much at all about the security aspects or where in the logic of the transaction it is used. This object is for example not a part of the business logic of transaction SE80, or that I am sure.
If you have no clue, then start in SU21 and read the application help documentation on the transaction (to understand it's context) and the use-cases of the object - also to find the other transactions. Then you will become more sure.
You also need to understand that in the same way the transactions, reports and the "real checks" are layers in the security, objects themselves can also be selective and layered in a conceptually consistent way, or (to make it more interesting...) transaction dependently.
There are lots of shortcuts (even out-of-the-box roles which someone might try to sell you...) but ultimately if you use a SAP system to "build" your business processes, then you need a concept to secure your build. SAP owns the authority-checks in standard programs to enable the process to comply with legal requirements and some common sense.
=> So, you need to choose your transaction (or other entry point) carefully and understand the objects which they use.
Cheers,
Julius -
Restrictions on the transaction GR55
Hi gurus
can you help? need to implement restrictions on the transaction GR55, the group reports that the user will access, to put a report a group of authorization and put in the role in all fields BRGRU, but does not work, the user has access to all the Infomed .... anyone can give me an idea of how Restrict adcional this?
thanksDear guru,
Even I was wondering about the same recently and used the search to revert back.
What have you tried so far?
Or do you want us to flame your controllers for you?
Cheers,
Julius -
BW : RSA1 with restrict access, possible?
Hi all,
Its possible use RSA1 with restrict access ?
You can implement the transaction RSA1 restriction of access.
Example:
Some users can not use the part of source systems (TCODE RSA13).
In this example, we block the transaction RSA13, however using RSA1 itself unable to access the part of source systems.
thzJust to add some more info to Durgesh's reply...
Using obj S_RS_ADMWB you can restrict access to different ares of AWB. See online docu on this topic:
[http://help.sap.com/saphelp_nw04/helpdata/en/80/1a6859e07211d2acb80000e829fbfe/content.htm|http://help.sap.com/saphelp_nw04/helpdata/en/80/1a6859e07211d2acb80000e829fbfe/content.htm] -
Restricting access to a cube while it is being maintained
Hi,
We are trying to restrict access via discoverer/excel add in to a CUBE while cube is being maintained. We were able to achieve this by revoking privileges to certain roles before the start of the cube build.
I would like to know if there is any better way or built in functionality(out of box) that restricts access to a cube a while it is refreshing? Any help is appreciated.Ragnar is correct, the best way to do this is to attach the AW in exclusive mode. You can either do this manually yourself before starting your load job, or automatically by scheduling the job and using mutiple processes to load and solve the cube.
The problem is removing users currently viewing data via Excel/Disco when the job starts. If you can ensure there will be no users accessing the AW when the job starts, then the exclusive attach mode will prevent any users from attaching the AW during the processing. If you cannot guarantee this, then there is a problem because the job will fail when it tries to attach the AW in exclusive mode. Obviously you could put this in a loop and wait until a user exits the front end application and releases the AW. Alternatively, you could write a SQL script to disconnect/kill all sessions accessing the AW - not very nice for the users though if they are building a report because they will lose all their unsaved changes.
When the AW is attached in exclusive mode, bad news is that Discoverer/Excel will probably generate a nasty Java error message when a user tries to connect using Discoverer/Excel.
Therefore, overall not an ideal situation. But I cannot think of a really good way to manage this at the moment. Sorry I can't be more helpful.
Keith Laker
Oracle EMEA Consulting
OLAP Blog: http://oracleOLAP.blogspot.com/
OLAP Wiki: http://wiki.oracle.com/page/Oracle+OLAP+Option
DM Blog: http://oracledmt.blogspot.com/
OWB Blog : http://blogs.oracle.com/warehousebuilder/
OWB Wiki : http://wiki.oracle.com/page/Oracle+Warehouse+Builder
DW on OTN : http://www.oracle.com/technology/products/bi/db/11g/index.html -
Restricted access to attachments in SRM 7.0 web applications
Hi,
We have a very specific problem regarding the handling of attachments with SRM 7.0 web applications. The system is configured to use ArchiveLink for storing documents on a remote content server, which is working fine.
Now we have a requirement which should restrict access to certain documents to specific user groups. As an example you could say that a Purchase order has (besides others) two documents attached, e.g.
- signed contract
- meeting minutes
The contract should only be visible to a limited number of people, whereas the Meeting Minutes are accessible to everybody.
Our problem is that apparently only one Content Category ("BBPFILESYS") is used by the SRM web applications for an upload. When granting authorizations on this content category, we cannot distinguish between contracts and meeting minutes anymore.
Comparing this with the config in ECC we can freely define document types which can be used in AUTH profiles. Is there any similar solution that can be used in SRM 7.0?
Any help would be greatly appreciated.
Cheers,
MarkHello,
Have a look at note 1334202. It provides some inputs.
Regards,
Ricardo -
Ability to schedule a report to run in background but No access to transact
Hi,
I want to give users ability to schedule a report to run in background but No access to transaction Sm37.
What can be the process/steps to work and morever if we do this is there any disadvantages that users
can face later...
<removed_by_moderator>
Thanks,
Barada
Edited by: Julius Bussche on Jan 28, 2009 1:12 PMSorry, I misread your question - thinking that the report should only be run in the background.
I agree with the others (also about SMX and SMXX to display their own jobs, but not change them afterwards), but which report (tree) is this?
You can still give the user an ability to maintain a variant via transaction VARCH though (no execute possibility) . It will check S_PROGRAM p_action VARIANT or look for a user specific protection flag.
But then the user can submit it online as well from other transactions. That is why I thought you were looking for a way to run it as low priority in the background only.
Cheers,
Julius
Maybe you are looking for
-
I have downloaded system log apps to gain more info on what is exactly taking place in my phone and have saved everything- ports connections IP address local an remote ones -advanced system logs - keg logs in my system logs - ect - there are words su
-
Reading Data From A Text File via AppleScript
Here is my question. I have a text file I need to read data from....this is what the text file looks like opened in text editor: "SLUG , 06/16/06, APPLE COMPUTER INC , 69x8.50, jondnotin now what I need to do is get the 69 and the 8.50 as seperate va
-
Removing black gradient background in new Revolution theme
I've got a project I'm working on where I want to have my own background image applied to the Revolution theme. However, the black gradient covers up most of my background image. How do I get rid of that? I've looked everywhere for that graphic or th
-
Is Bad ESN Phone can be reactive?
just want to know is the Bad Esn iPhone4 can be reactive again?
-
Just bought the latest version of iPod Touch 64G. Loaded my music on it. Every time I hit the music tab I get that annoying "connect to iTunes" message, along with the keyboard. How can I gets rid of it?