S_DATASET to be restricted. Generic role to be modified.

Hello All,
Authorisation object S_DATASET needs to be restricted to view files only under directory /interface/ehs/.
through field FILENAME.
I have to restrict two roles for which S_DATASET is maintained as mentioned below.
1)  Role 1
    S_DATASET Authorization for file access
   ACTVT                      06, 33, 34, A6, A7 
   FILENAME                *                  
   PROGRAM                *    
2) Role 2             
   S_DATASET Authorization for file access
   ACTVT                      33, 34 
   FILENAME                *                  
   PROGRAM               RSSO, SAPFSSO, SAPLSO, SAPLSW, SAPLSWT1  
FILENAME needs to be restricted to something like this
FILENAME          /interfaces/ehs/.  such that files only under directory the specified directory can be viewed.
Can anyone please let me know the implication of restricting filename as mentioned above.
Note :The two roles mentioned above are the generic roles and are present in many composite jobs(almost every composite job).
hence any changes mentioned as above will affect large number of jobs and hence significant users will be affected.

Hi Abdul,
There is no issue with the way you are trying to follow.
S_DATASET is used to put a check against file access from ABAP/4 programs. The field FILENAME is to provide the path / directory of the file that need to be read / write during the execution if different Dynpros of SAP Transaction.
So you can use the value in FILENAME as:      /interfaces/ehs/*
Please note that if the file being read or write is in different directory or path in other systems somehow then the user will get "Failed authorization Check" error.
Let me know for any more question.
Regards,
Dipanjan

Similar Messages

  • How to restrict selected Role under a Role???

    Hi Friends,
    I have 3 roles, which are Role-1, Role-2, Role-3.
    Role-2 & Role-3 are Under/Part of Role-1.
    Now, I have assigned Role-1 to a user. By doing this, When he logs in he is able to see the Role-2 and Role-3 also eventhough we havent assigned Role-2&3.
    Now My question is, How to restrict a role under a role. For example, I dont want to show Role-3.
    When i checked the user roles assigned, i see only Role-1 but not 2 other roles.
    Could anyone advice on how to make unwanted role in role. Assuming, no one is going to assign directly with Role-2 & Role-3. They got assigned only Role-1.
    Thanks for u r time!!
    Thanks,
    Raghavendra.P

    Hi Praveen,
    Thanks for important/useful information. I really dont understand is., Inspite of giving the properties to the each of role/workset, How do we call the approprite under the role. for example :
    If we have Role-2 with propery dept=sd,
    and Role-3 with propert dept=xi, etc.
    Now i have Role-1, within which i have Role-2 and Role-3.
    Now, if i want to see only roles with dept=xi then where should i mention and what should i mention.
    I understood till creating the properties, assigning the properties to roles/worksets, giving values to properties.
    Only i doesnt understood is how to activate which we want in the scenario.
    Thanks for your time..!!!
    Thanks,
    Raghavendra Pothula

  • Restriction in roles

    Hello Gurus,
    Iam working on a SLO project, There are 5 systems and all need to be merged.
    Each and every system has their respective roles, Now i need to bring all roles in to the target system and restrict the roles with respect to their system.
    Iam trying to restrict the roles with the organisational levels present.
    Is their any more restriction need to be done ?
    please provide some inputs.
    Thanks,
    Sanketh.

    Hi Sanketh
    If that is your remit then it looks like your project management have not scoped the activity properly and they have left you to pick up the pieces.
    It sounds like you are doing the right thing for the custom developments, though you will end up with additional work with the * in the org levels.
    If you need to restrict each role set to only be able to see it's own data:
    1. Get the project to deliver you an organisational matrix listing all the org level elements that belong to each company.  You can get the org levels from table USORG.  insist that this is provided as one of their deliverables and provided ASAP.
    2. ID all the org levels that are not relevant and you can keep a * in
    3. Using the org level matrix you can now start to work on the roles to make sure that the roles only contain the org data for that company.  If company x has a certain list of company codes then you need to maintain all those
    4. Remove access to view tables & directly execute programs
    5. Remove access to SQ00 or SQ01
    Are you responsible for maintaining this after go-live?  If so then you really need to start to assess that the roles support the functional scope of the to-be systems.  Get the updated roles included in the cutover testing so that you can get validation that you have done what was asked and it tested OK before they are deployed into live.
    I can't send any docs as previous work is either covered under client confidentiality arrangements or is our intellectual capital.  I am more than happy to provide feedback on here though.
    Good luck!

  • Restrict the role of User Administrator

    Hello all,
    I need to know that if it is possible to restrict the Role of an User Administrator to assign only a specific set of Roles to the end user.
    For example : The user administrator should be able to assign only say Managers, Employees Roles to the Users and not any other roles like Super Administrators etc.
    If so, how can we achieve that?
    Regards
    Avik

    There is a authorization object (combined with a parameter) that does this restriction:
    S_SPO_PAGE
    Definition
    Using authorization object S_SPO_PAGE, you can restrict the maximum number of pages of a request that can be printed on a particular printer.
    This authorization check is only active if profile parameter rspo/auth/pagelimit is set to 1.
    Defined fields
    SPODEVICE       Device name for which the restriction is to apply.
    SPOPAGES        Maximum number of pages allowed; enter a range (0 to n) here

  • Generic roles in sap

    Hi All,
    I am nery new to sap. I need what are the generic roles and their description in sap like admin, user etc.
    Apart from admin,user any other generic roles are avilable or not.I need complete information.
    Can you help for this one.
    Regards,
    jhansi.

    Jhansi,
    In SUIM it will ask for role name and single/composite role.
    ???  ALL roles are displayed in SUIM.  In a list.  Select Roles > Roles by complex Selection Criteria.  Leave blank and execute to see all roles existing in your system displayed in a list.  "As delivered" (by SAP) roles can be found by entering SAP* in the 'Role' field.
    Most of the SAP type roles are documented in SAP online help.  http://help.sap.com/search/sap_trex.jsp Select the ERP system suitable.  For a generic search, enter "Role" as a search term, execute.  On the right, selelct Info Class 'Role".
    Best Regards,
    DB49

  • Oim 11g r2: data access restriction using roles instead of organisations

    can i implement data access restriction using roles instead of organisations in oim 11g r2?

    in my use case a particular user can be member of more than one organisation. as far as i know oim does not suoport this use case using organisation, so i decide to use roles to represent my "organizations", but now i loose all the data access restrictions (scope).

  • Internet Restriction of Role or Workset in Portal

    Hello SDN'ers
    I have a requirement of restricting one role to the users who are accessing our company portal thru internet...
    How should i go about it....
    Please Help..
    Thanks n Regards...

    Hello Saxena,
    You could have a diferrent desktop for the users accessing your portal
    through internet (probably the easiest way is by configuring a portal rule
    based on User or URL Alias) and within that desktop filter/restrict the role
    in question.
    More details on how to do this:
    - Step 1 - Portal display rules for determining which portal desktop
    http://help.sap.com/saphelp_nw04/helpdata/en/4b/29cf122f414721964269e1b675d62c/frameset.htm
    - Step 2 - Filtering the role
    http://help.sap.com/saphelp_nw70/helpdata/EN/5e/e855a35455458aa4df21a4339722c7/frameset.htm
    good luck!
    Rafael

  • Generic role for Display

    All,
    I don't think that this is an "issue" but it is definitely something of a convenience problem. Our company has about 50 stores and each of them would have 2-3 generic role for a generic display login.
    I have been asked to create a role in such a way that store A cannot see the inventory /  data of store B. Now we can have 50 different roles for 50 stores and change the Store Numbers (Company) in the  Authorization Objects (Again, Im assuming that this would work..not sure though). But this would be cumbersome to create and manage. Besides each store gets about 3 different roles which makes it at least 150 roles.
    Is there any other way to do this. I hope I'm being clear about what is needed. I need just 1 generic role assigned to all the stores, but they still should not be able to see each other's information.
    Thanks,
    Kunal

    Hi Kunal,
    Putting aside any thoughts of a generic login for the time being (you might want to check your licence terms) then there are are a few ways that you can achieve this.
    Most straightforward would be to use derived roles.  Create your 3 master roles and then derive them at the lower level - 1 per company (if you data can be adequately segregated that way - you need to make sure that it can!). 
    If you are only differentiating on company and there is one company per role then you could script the creation of this pretty easily and populate the org levels using a CATT script (tutorial on ********************* ).  If you are on ECC6 then to be honest eCATTs will take rather longer to get working for org levels than it would take to build your 150 variants.
    You could use enabler role method (use the search on terms "enabler role" or "value role") but to be honest the reduced number of variants you will need to build is going to be outweighed by the complexity of the solution.

  • Generic Role Template

    Hi, is there a template for a generic role that has no access to SPRO and any development related stuffs?
    Thanks in advance!

    Hi
    FYI,
    ALE provides administration, development and testing tools.
    To use the ALE tools choose Tools ® IDoc Interface/ALE.
    ALE business processes are part of the standard SAP application system delivery. They are described in the application documentation (Library of ALE Business Processes).
    For more information about the required system settings see the Implementation Guide (IMG):
    Transaction SPRO ® SAP Reference IMG ® Application Server -> IDoc Interface/ALE (or the transaction SALE).
    For information on programming see the ALE Programming Guide.
    To make it easier to assign ALE functions to specific user types, the following user roles have been defined:
    ●     ALE administration                                         SAP_BC_MID_ALE_ADMIN 
    ●     ALE development                                            SAP_BC_MID_ALE_DEVELOPER
    ●     Master data distribution for logistics                       SAP_BC_MID_ALE_MD_LO
    ●     Master data distribution for financials          SAP_BC_MID_ALE_MD_FI
    ●     Master data distibution for HR                    SAP_BC_MID_ALE_MD_HR
            please go thru this link..
    http://help.sap.com/saphelp_erp2005vp/helpdata/en/0b/2a60bb507d11d18ee90000e8366fc2/frameset.htm
    hope this info helps..
    with regards,
    Rajesh.
    award suitable points

  • Need to restrict users from adding or modifying folders or reports

    Requirement: Need to restrict users from adding or modifying folders or reports through Info view and to reflect the modifications only thriough LCM.
    Issue: Customer wants to restrict users from adding or modifying existing reports from Infoview and need to force users to do make the changes through Life cycle manager tool.
    As per my understanding LCM can only be used to to promote folders and objects from one environment to another and to schedule the promotion of these jobs on a daily basis.My query is:
    Can we add or modify existing reports or folders using the LCM tool?
    Could you please help me out in this issue and provide me your suggestions.
    Thanks in advance.
    Prashanthi Rayaprolu.

    You can not restrict that using LCM. Need to modify the rights at the folder level.
    Explicitly remove the following rights for the user group,
    Add objects to the folder
    Edit objects
    Delete objects
    Copy objects to another folder (check this if required)
    Once the above four are denied then users wont be able to Edit/Add/Delete reports in that folder.

  • Creating Restricted Helpdesk Role

    I am trying to create a helpdesk role in the portal that will only allow the helpdesk to reset password and unlock an id.
    I am almost there. I created a new role then linked the sap provided workset "delegated user Administration".
    I then removed all except search, previous search results, and locked users.
    The problem is, the results pages still have a delete button, copy to new, and the edit page allows the helpdesk to edit all of the user's info.
    How can I remove unwanted buttons? And when in the edit screen they click the pencil (we don't use the automatic password reset) to reassign a new password, all of the user fields are displayed. How can I edit that page to only provide the password fields?
    Thanks.
    Nicole

    Hi Nicole,
    See How to restrict UME-Action-rights to reset password an unlock user ? - discussed there are the possibilities to define a permission set for UME actions. Maybe that would be the best solution, as you could/should use the standard UIs for your concerns. The alternative I suggested was based on the "old" UserAdmin user interfaces (not WD). A third way would be to develop a small applications for your needs - as this is not ver mighty, it should'n be a big problem / task...
    Hope it helps
    Detlev

  • Requisition for approval using - Restricted Recruiter role

    Hi,
    We have implemented SAP eRec EHP4. As of EHP3 the restricted recruiter was only able to create requesition in Draft mode and release the requisition for approval.
    We are using WD on SAP EHP4. We have provided SAP_RCF_RES_RECRUITER_ERC_CI_2 role in R3 to one of the user and Recruiter role on the portal. But when I try to create a requisition and try to release it, it gets released instead of going for approval......
    What have we done wrong.....Is there some other way by which the requisition can be sent for approval in EHP4......
    Thanks

    Hi All,
    In the meantime I was testing the BSP application since I had to give a demo to the client.....Here I could run the workflow, but when I launch the recruiter "approval" page it gives me an error
    BSP Exception: Das Objekt default.htm in der URL /sap/bc/bsp/sap/hrrcf_approval/default.htm?objid=90005527&otype=NB&plvar=01&requestdate=20100723&requestedRsncode=01&requestedstatus=1&requester=Mr%2etesttest&SAPWFCBURL=http%3a%2f%2ftcssol%2ehrservicesonline%2ecom%3a8002%2fsap%2fbc%2fwebflow%2fwshandle ist nicht gültig.
    I saw through SE80 there is no page like default.htm how do I resolve this, is this also connected with upgrading our SP level?
    Thanks
    Subbu

  • CUP question - Possible to restrict available roles based on the requester?

    Helo all,
    One of our customers wants to put restrictions on the access requester in the CUP module: meaning that some requesters should only be able to request roles assigned to functional area u2018Procurementu2019, while other requesters should only be able to request roles that are assigned to all functional areau2019s except for u2018Procurementu2019.
    Do you know if this is possible or do you see an alternative solution?
    Thanks in advance,

    There is no real way to restrict people from doing that, but you could use the buisness process in role attributes to ensure if the select the correct buisness process only roles listed under a particular buisness process are listed when being searched.
    You could make the buisness process field mandatory on the main screen and than that gets carried over when searching for roles, obviuosly that can always be changed by the user.
    regards,
    Chinmaya

  • Restrict Moving roles with user assignment

    Hi There,
    Need your help...
    How to restrict to move roles from dev->QA with user assignment. (want to disable the user assignment restirction)
    Thanks and Regards,
    Gnanaprakasam

    Unfortunately this is not the default installation setting, so you need to go into the security settings customizing and change the USER_REL_IMPORT switch to 'NO'.
    This does however NOT make the checkbox disappear in the transport source system. It prevents the import in the target... so you must set it and transport it there first, then it works.
    Cheers,
    Julius

  • Any ideas on restricting userID Role Assigment within the SAP Security Team

    Hello,
    I have gotten a request to look into restriction of assignment of roles to oneself within the company SAP Security Team. Thoughts I have come up with so far involve the use of UserID User Groups, Role Assignment Ranges, and forcing all role assignements for all userIDs through GRC-AC CUP for QA and Prod. Has anyone come up with a workable solution that is outside of these suggestions that they have put into practice?
    Thanks in advance for your help!
    John

    Hi John,
    There can be a manual control in place and individual should not assign role/s to himself / herself.
    Otherwise, security team members can be assigned to a specific group (let say Security) and they shouldn't have access to authorization S_USER_GRP with ACTVT 22 & CLASS - Security.There should be a dedicated power user to assign the role/s to the security team members and this can be auditted (SM20 log for manual super user / FireFighter log for FireFighter user).
    Thanks
    Prasanna

Maybe you are looking for

  • Tabstrip does not save when first clicked

    After I set all the input field to be required for my 3 tabs in my tabstrip, I am only able to save the data in text field after I click the save button the second time and not the first time. Clicking Save button first time: http://img407.imageshack

  • Nonlinear curve fit

    Hi everybody, I am trying to fit a custom nonlinear curve to my data. I want to fit a curve to the data twice. After the first fit, I want to use the coefficient a (6.57962) in my second curve fit as my coefficient b. When I try to use this and creat

  • Not applicable message

    In attempting to re-DL LR5 there is a message "Not applicable" in the DL box. It is under three years and I believe I DL'd originally  and then again after a PC crash which has happened again. What are my options? There are two other DL's in "Multipl

  • Printer compatible with Windows 2000 and Windows 8 operating system?

    My office needs to access a terminal server hosted offsite.  The terminal server uses Windows 2000.  My laptop is Windows 8.   Since I upgraded my laptop I am no longer able to print.  Do they make a computer that is compatible with both versions of

  • Can anyone give me a LabView program to do impedance spectroscopy (capacitance-frequency) with a HP4284 LRC interfaced to a probe station?

    I am trying to measure the frequency dependent dielectric function of some polymer systems.  Our group has a HP4284 LCR meter interfaced to a probe station, however we lack the LabView code to perform frequency dependent capacitance measurements (i.e