Restricting SM30 via auth. groups, any flaws in thinking?

Hi,
I got a request to assign SM30 to a role as table J_1IEWT_ACKN_N needs to be maintained monthly. I checked an earlier thread regarding this table, and in this case maintaining table in DEV + transport is also not accepted.
This role also includes other table maintenance activities (period opening/closing, exchange rate maintenance), but for these SM30 is not required. As this role would now include SM30, it would possibly grant access to quite a bunch of tables (through S_TABU_DIS, DICBERCLS values KC and FC31).  User with this role would not have any other roles.
I created a Zxxx-authorization group in SE54, assigned it to the J-table and then included this auth group to S_TABU_DIS object.
As this role only needs access to a few tables, I was thinking of changing the authorization group assignments of these tables from KC/FC31 to Zxxx and then giving only DICBERCLS value Zxxx to the role.
Does this sound like a reasonable solution? Can I just change the auth group assignments of the tables in SE54 or does this have any consequences that should be acknowledged and that I'm not aware of?

You should try to find an existing group which contains data with the same classification as this one, and use SE54 to assign the value to it. Possibly, if the correct set of users are already classified for that group then you don't need to change anything inthe roles.
If nothing which already exists matches the classification of the data, then classify it yourself by creating the Zxxx group and assign it via Se54.
If Z-groups already exist, as for the documentation on the concept so that the one you create or use is conform with the intended concept and naming conventions.
There is nothing wrong with a Z-table authorization group.
Cheers,
Julius

Similar Messages

  • Restricting Access via User Groups

    So I have created some user groups via the Administration page in APEX. I would like to use these groups to control access to various tabs in my database application. Can someone please tell me how I might go about doing this? I can't seem to locate a good example.
    Thanks,
    Mark

    Hi Mark,
    You can e.g. create an authorization scheme (shared components) - pl/sql function returning boolean.
    You can use some functions in apex_util to determine if they should have access. e.g. apex_util.current_user_in_group(p_group_name in varchar2); http://docs.oracle.com/cd/E23903_01/doc/doc.41/e21676/apex_util.htm#BABHCBEG
    Then just apply that authorization scheme to the tab and consequent pages associated to the tab.

  • Anyconnect IKEV2 restricting access via AAA auth Group

    Hi Everyone,
    I have ASA config with 2 connection groups
    Say Group  1 and 2.
    Currently both are assigned to Same Auth AAA group
    One of our external vendor has access to both XM files of connection group 1 and 2..
    If i want Vendor should connect only to  Connection Group 2 should i change the AAA auth group for connection group 2?
    Then even if he tries to connection group 1 it should not work as AAA Auth group will be only assigned to Group 2 right?
    Regards
    Mahesh

    Hi Rick,
    There is info
    Our ASA is configured with two connection groups.Our Vendor has XML files of both the
    Connection groups say                                      1 and 2.
    AAA Authentication group  called ----------------- RSA  ----Two servers are there in RSA group.
    We are using 2 factor Authentication.
    We want vendor to connect to connection group 2 only.
    We have two RSA Authentication  servers they are in HA mode so if one dies other can do the authentication.ASA has only 1 authentication  group called say RSA and both connection groups 1 and 2 are tied to the same Authentication group called RSA.
    If i configure new AAA server group say RSA2 for connection group 2 but it has same 2 servers will
    it restrict the vendors connection to connection group 2 only?
    Also when you say --- authentication server can differentiate between the vendor users and other users and supply a group membership ID in the authentication response?
    Need to know how i can do this?
    Regards
    MAhesh

  • Restrict posting period only a limited set of users using Auth Group

    Hi all,
    Can someone help me in restricting posting period to only a limited number of users?
    Currently OB52 settings look like below:
    From Per.1  Year  To Period           From per.2   Year    To Period
        7                 2009         8                          8              2008            8
    My requirement is:
    I want to only few users to post in the 7th period and all others to post in the 8th period.
    I know this can be done via authorization group: Can someone please help me with the steps invloved in solving the same?
    Thanks in advance
    Sidharth
    Basis Administration

    Hi Alex,
    Thanks for your response!
    I have added F_BKPF_BUP object manually in the test role and assigned 0002 auth group in it.
    I have created auth group 0002 and assigned table T001B in SE54.
    Auth group 0002 is then assigned in the OB52 at the last column. This should restrict the posting for period 1 which i need to restrict for some users.
    Now as per the logic, if we dont assign any auth group, users should not be able to post for that period. But in my case user is able to post successfully via F-02.
    Please help me as we need to implement this before month end.
    Many thanks for your valuable help!
    Thanks
    Sidharth

  • Restricting HR Tables fields via auth object?

    Happy Holiday's everyone!
    We have a custom tcode for Pricing Admin report which currenltly only has S_Tcode for an auth obj.  It was combined in a role that we removed the HR authorization from and apparently these were interdependent but undocumented.  Now the pricing transacation no longer functions. 
    Instead of just adding back the missing HR authorizations back into the custom Tcode I'm being asked if  we can restrict PA00002 (the table being called in the program) to first name, last name and personnel number fields.  Is there an authorization object that will let me restrict in this manner or do I need send this back to the developers to write in the code? 
    Or can I restict to these fields via authorization groups (something we are looking into implementing more next year).
    Thanks
    Kris Wise

    That is a bad omen for the next year...
    Try to change the code this year still to deliver only the fields you want from the infotype or go for an "existence check" which no authorization requirements as that is what you seem to be wanting.
    Being custom code, you should post the problematic part to discuss a solution.
    Cheers,
    Julius

  • Creating a auth group

    Hi,
    I want to restrict access for a user in such a way that he sees only the following tables.
    AGR_define
    TSTC
    USOBT
    All these tables come under the auth group SA, SS or SC which is SAP delivered. Now if I give any of these auth groups, then the user will have access to all the tables within this authorization group. I tried to create a new auth group in SE54 and when i tried to assign the auth group to one of the SAP standard table, it would not let me do it. It gives the following error message ' choose the key from the allowed namespace'
    Is there any way to restrict access to a few SAP standard tables?, thanks in advance
    regards,

    I guess you'll give acces via transaction SM30 or SE16 ? If restricting on auth group is not enough you can try to make a 'transaction variant'. Start transaction SHD0, than you will go through the transaction and after each screen you'll have the possibility to choose what you want to see, with or without context,...So in transaction SM30 you can choose to skip the first screen and with the new transaction the user won't be able to change the table.  You can afterwards assign a transaction to the variant, put this transaction in a role and assign the role to the user. The user will be able to start transaction SM30 but will go directly to the second screen, so he will not be able to put another table in the selection screen.
    When the user is allowed to only those 3 tables you have to create 3 transaction variants. This is a quick explanation, but If this is usuable you'll probably have more info on searching on transaction SHD0

  • SCU3 Activity 02 on S_TABU_DIS Auth Group SA?

    Hi,
    We recently moved from EHP5 to EHP7 and an additional check is done when using transaction SCU3 for S_TABU_DIS / Group SA / Activity 02.
    We have 2 Z tables maintained by our data team; 2 Z transactions allows for the table maintenance via SM30; both tables have been associated to a Z authorisation group.
    Since EHP7 has been implemented we can no longer view the log on these tables.
    SU53 and traces are listing the need for S_TABU_DIS Activity 02 for the SA Auth group; that group is created by SAP and covers quite a few other tables; I have tried to limit the access to the log table DBTABLOG via S_TABU_NAM but it is still not working.
    I can't understand why activity 02 should be required at all in that scenario and can't find any related OSS Note.
    Has anyone come accross a similar issue. I am not sure why a change activity shoudl be required when I only want to display the change log.
    thank you
    Coco

    Hi,
    are you sure that missing authorization for DBTABLOG is causing your issue? It is checked because you can delete logs in SCU3. Hence it has to check for 02 - change. It should not get checked when you only want to display logs. Have you tried to debug this transaction and see what's going behind?
    Cheers

  • How to Assign Event to Auth Group

    Hello All,
               Please suggest is there any way to assign Event to Auth Group.
    Scenario is:-
    Add event ZHCM*  to its own authorization group.These changes to SM64 are needed in order to assign the transaction (restricted to the custom program only) to Payroll for kicking off their interfaces after each payroll run. Please create custom auth group say ZPAY and assign the ZHCM* event to this new auth group.
    Thanks in Advance !!
    Best Regards,
    CB

    i hope you are assigning to the radio group not to a radio button. i mean u could have radio group xx with buttons butt1,butt2 , butt3 etc. u cant have
    xx.butt1 := 100
    Besides that it's perfectly acceptable by oracle to assign to a radio group unless of course the variable is badly spelt
    Hope this helps
    Lewis

  • How do Auth Groups assigned to BOMs

    Security Folks,
    How can the auth groups used on the Bill of Material (BOM) ? I assume they need to be created by Functional folks via SPRO. Any input is appreciated.
    Thanks.

    Hi,
    Auth groups are assigned within the BOM itself.   When you create or change a BOM, you add the auth group in the header section.  Whoever is responsible for the creation / change of BOM's maintains the auth group which can then be used with C_STUE_BER.

  • IS IT POSSIBLE TO RESTRICT A PARTICULAR MATERIAL GROUP FOR A USER

    Hi Gurus,
    I want to know whether it is possible to restrict a particular material group for a particular user.
    e.g Material Group : 101
    User : ADMIN
    Our requirement is that the user should not be able to select material group 101 in
    any stock related transactions. e.g MB5B, MB51, etc.
    Thanks
    Amol

    Hi Amol
    You ca try Tcode OMT3E where in u can maintain settings relatesd to Users.
    Regards

  • I forgot my restriction number. Is there any possibility to get in the programm?

    I forgot my restriction number! Is there any possibility to get in the program?

    Hey rashad35,
    Thanks for the question. Unfortunately, if you have forgotten the restrictions passcode on your device, you’ll need to restore it to factory settings:
    Note: If you lose or forget a restriction passcode, you will need to perform a factory restore to remove it.
    via iOS: Understanding Restrictions (parental controls)
    http://support.apple.com/kb/HT4213
    Thanks,
    Matt M.

  • How to get list of Users under an Auth Group (for executable Programs)?

    Hi experts.  I have a requirement to get a list of all users under a particular Auth Group for Program Objects.
    Goal of this requirement is to identify the users allowed to use/access a program - we're doing some sort of Program Inventory and we'd like to identify the users per program, via the Auth Group. 
    So question is:  Which tables hold data about Program <-> Auth Group <-> Users, and how are they linked?
    I know this is Basis/Security stuff, but I was thinking of developing a report program to output the information needed.
    Thanks in advance.
    Edited by: George Esquerra on Nov 17, 2011 10:24 AM

    This is available in the standard via tx SUIM - user - users by complex selection criteria - by authorization values.
    If you enter auth object = S_PROGRAM and value = auth group, you will get the list of users.
    You can analyse how this program finds the information and incorporate it into your own logic.
    Thomas

  • Assigning Auth group using std program

    Hi All,
    I am working on assigning Auth Groups to few of my programs...and for this I used the standard program provided by SAP i.e. RSCSAUTH. Now one of my program is in RQ and I need to change the auth group attached to it ... can I change the auth group attached to that program using the same program RSCSAUTH (without doing any changes in the development box or without creating the new transport)..... can you please help me with this.
    Thanks,
    Rajeev Gupta

    Hi rajiv, iam facing the same porblem, can you pls guide me on this. iam new to authorizations. Thanks.

  • Auth Group vs Authority Check

    Hello -
    I am adding an Auth Group to my programs using SE38 in the Attributes screen.  Is it also necessary to have code in my program that checks for S_PROGRAM or is it sufficient to add the Auth Group to just the attributes section.
    Thank you for any insight.
    Mary Kathryn

    Adding a authorisation grp is sufficient no need to check the authorisation object within the code. The assignment of a program to an authorization group plays a role when the system checks whether the user is authorized to:
    Execute a program
    --> Authorization object S_PROGRAM
    Regards,
    JOy.

  • Program to assign auth group to the tables?

    Hi everyone,
    Does anyone of you know if there is a program that I can use to assign the auth group to the SAP std table(in case if I need to) and customized tables. I know I can goto Se54 and assign an auth group there but was hyst wondering if there is a program like RSCSAUTH which we can use for assigning the auth group to the programs.
    Please suggest.
    Thanks,
    Raj

    Hello Raj,
    You donot assign auth. group to tables but rather to the Maintenance Generator.
    I think SAP will not provide any std. program for this.
    Maybe other SDNers have some better ideas to share.
    BR,
    Suhas

Maybe you are looking for