S_TABU_DIS and &NC&

Similar Messages

• S_TABU_DIS and non-classified tables (&NC&)

  Does anyone have any insight into providing display access to non-classified tables (&NC&) via authorization object S_TABU_DIS.  Our specific issue at this point is via SE16 with display only access.  Our testing has shown that tables without any authorzation group assigned required a value of (&NC&) in field DICBERCLS in order to make SE16 work.  The challenge is that we have a number of custom tables without any authorization group which means we need to provide &NC&.  If we do this the users automatically get access all the non-classified tables.

  >
  Ed Marks wrote:
  > Does anyone have any insight into providing display access to non-classified tables (&NC&) via authorization object S_TABU_DIS.  Our specific issue at this point is via SE16 with display only access.  Our testing has shown that tables without any authorzation group assigned required a value of (&NC&) in field DICBERCLS in order to make SE16 work.  The challenge is that we have a number of custom tables without any authorization group which means we need to provide &NC&.  If we do this the users automatically get access all the non-classified tables.
  If there is an intention / requirement to display a table, then the best practice way is to create a view in SM30, assign an auth group to the table via SE54, and then create a transaction in SE93 to call that view. Or search for an existing one.
  There are parameter transactions; basically the same thing as SM30.... except the users dont know that. You can also add your own additional checks on other auth objects.
  ''&NC&' means "not classified" as there is no requirement to control the access for the data browser transactions, because there is no intention that a user should display or change them in your concept.
  Cheers,
  Julius

• Protect sensitive HR tables from ABAPer and BASIS

  Hello
  We are trying to work out some security authorizations where in we can protect HR master data through direct access to HR tables through SE16 or SM30 for info type tables like PA0008 or PA0015 etc. I know that these tables have authorization group 'PA' and we can build a role using S_TABU_DIS using this autho group but we have about 30 such infotypes to be protected. If we build a role with S_TABU_DIS and Auth group='PA' we will land up protecting all the Infotypes. Other problem is that if we create a new auth group 'ZPA' for these 30 infotype tables, thats too much customization as we might have problems during future upgrades.
  My question to the forum members is - What solutions were explored or implemented for such situations?
  Thanks
  Snehal

  Dear Snehal,
  Maintain all such sensitive infotypes in a Z table. Implement a proper BAdi/Enhacement that will be called whenver user accesses the transactions that you want to restrict and validate against that Z table. If the entry exists in Z table raise an error message saying 'You are not authorized' else display.
  You would need to bypass this validation for users other than ABAPer or BASIS. For that you may need to maintain proper naming convention or some logic.
  Please check this sample program from other thread to find BADI and enhancement for a given transaction code. You just need to create a custom program in your system by cut and paste below codes.
  REPORT ZTEST.
  TABLES: TSTC,
  TADIR,
  MODSAPT,
  MODACT,
  TRDIR,
  TFDIR,
  ENLFDIR,
  SXS_ATTRT ,
  TSTCT.
  DATA: JTAB LIKE TADIR OCCURS 0 WITH HEADER LINE.
  DATA: FIELD1(30).
  DATA: V_DEVCLASS LIKE TADIR-DEVCLASS.
  PARAMETERS: P_TCODE LIKE TSTC-TCODE,
  P_PGMNA LIKE TSTC-PGMNA .
  DATA: WA_TADIR TYPE TADIR.
  START-OF-SELECTION.
  IF NOT P_TCODE IS INITIAL.
  SELECT SINGLE * FROM TSTC WHERE TCODE EQ P_TCODE.
  ELSEIF NOT P_PGMNA IS INITIAL.
  TSTC-PGMNA = P_PGMNA.
  ENDIF.
  IF SY-SUBRC EQ 0.
  SELECT SINGLE * FROM TADIR
  WHERE PGMID = 'R3TR'
  AND OBJECT = 'PROG'
  AND OBJ_NAME = TSTC-PGMNA.
  MOVE : TADIR-DEVCLASS TO V_DEVCLASS.
  IF SY-SUBRC NE 0.
  SELECT SINGLE * FROM TRDIR
  WHERE NAME = TSTC-PGMNA.
  IF TRDIR-SUBC EQ 'F'.
  SELECT SINGLE * FROM TFDIR
  WHERE PNAME = TSTC-PGMNA.
  SELECT SINGLE * FROM ENLFDIR
  WHERE FUNCNAME = TFDIR-FUNCNAME.
  SELECT SINGLE * FROM TADIR
  WHERE PGMID = 'R3TR'
  AND OBJECT = 'FUGR'
  AND OBJ_NAME EQ ENLFDIR-AREA.
  MOVE : TADIR-DEVCLASS TO V_DEVCLASS.
  ENDIF.
  ENDIF.
  SELECT * FROM TADIR INTO TABLE JTAB
  WHERE PGMID = 'R3TR'
  AND OBJECT in ('SMOD', 'SXSD')
  AND DEVCLASS = V_DEVCLASS.
  SELECT SINGLE * FROM TSTCT
  WHERE SPRSL EQ SY-LANGU
  AND TCODE EQ P_TCODE.
  FORMAT COLOR COL_POSITIVE INTENSIFIED OFF.
  WRITE:/(19) 'Transaction Code - ',
  20(20) P_TCODE,
  45(50) TSTCT-TTEXT.
  SKIP.
  IF NOT JTAB[] IS INITIAL.
  WRITE:/(105) SY-ULINE.
  FORMAT COLOR COL_HEADING INTENSIFIED ON.
  Sorting the internal Table
  sort jtab by OBJECT.
  data : wf_txt(60) type c,
  wf_smod type i ,
  wf_badi type i ,
  wf_object2(30) type C.
  clear : wf_smod, wf_badi , wf_object2.
  Get the total SMOD.
  LOOP AT JTAB into wa_tadir.
  at first.
  FORMAT COLOR COL_HEADING INTENSIFIED ON.
  WRITE:/1 SY-VLINE,
  2 'Enhancement/ Business Add-in',
  41 SY-VLINE ,
  42 'Description',
  105 SY-VLINE.
  WRITE:/(105) SY-ULINE.
  endat.
  clear wf_txt.
  at new object.
  if wa_tadir-object = 'SMOD'.
  wf_object2 = 'Enhancement' .
  elseif wa_tadir-object = 'SXSD'.
  wf_object2 = ' Business Add-in'.
  endif.
  FORMAT COLOR COL_GROUP INTENSIFIED ON.
  WRITE:/1 SY-VLINE,
  2 wf_object2,
  105 SY-VLINE.
  endat.
  case wa_tadir-object.
  when 'SMOD'.
  wf_smod = wf_smod + 1.
  SELECT SINGLE MODTEXT into wf_txt
  FROM MODSAPT
  WHERE SPRSL = SY-LANGU
  AND NAME = wa_tadir-OBJ_NAME.
  FORMAT COLOR COL_NORMAL INTENSIFIED OFF.
  when 'SXSD'.
  For BADis
  wf_badi = wf_badi + 1 .
  select single TEXT into wf_txt
  from SXS_ATTRT
  where sprsl = sy-langu
  and EXIT_NAME = wa_tadir-OBJ_NAME.
  FORMAT COLOR COL_NORMAL INTENSIFIED ON.
  endcase.
  WRITE:/1 SY-VLINE,
  2 wa_tadir-OBJ_NAME hotspot on,
  41 SY-VLINE ,
  42 wf_txt,
  105 SY-VLINE.
  AT END OF object.
  write : /(105) sy-ULINE.
  ENDAT.
  ENDLOOP.
  WRITE:/(105) SY-ULINE.
  SKIP.
  FORMAT COLOR COL_TOTAL INTENSIFIED ON.
  WRITE:/ 'No.of Exits:' , wf_smod.
  WRITE:/ 'No.of BADis:' , wf_badi.
  ELSE.
  FORMAT COLOR COL_NEGATIVE INTENSIFIED ON.
  WRITE:/(105) 'No userexits or BADis exist'.
  ENDIF.
  ELSE.
  FORMAT COLOR COL_NEGATIVE INTENSIFIED ON.
  WRITE:/(105) 'Transaction does not exist'.
  ENDIF.
  AT LINE-SELECTION.
  data : wf_object type tadir-object.
  clear wf_object.
  GET CURSOR FIELD FIELD1.
  CHECK FIELD1(8) EQ 'WA_TADIR'.
  read table jtab with key obj_name = sy-lisel+1(20).
  move jtab-object to wf_object.
  case wf_object.
  when 'SMOD'.
  SET PARAMETER ID 'MON' FIELD SY-LISEL+1(10).
  CALL TRANSACTION 'SMOD' AND SKIP FIRST SCREEN.
  when 'SXSD'.
  SET PARAMETER ID 'EXN' FIELD SY-LISEL+1(20).
  CALL TRANSACTION 'SE18' AND SKIP FIRST SCREEN.
  ENDCASE.
  Alternatively, you can do the following:
  1. For what ever transaction u want the enhancement .. just check for the System-->status (menu) and find out the PROGRAM name....
  2. Double click on to the program name and go inside the program (Abap editor)
  3. Search for "Call Customer-function " ... and u'll get some search results .. If u get results then u have enhancement in that tcode .....
  4. Then it actually calls a Function module .... copy the Function module name .... go to SE80 (object navigator) click on "Repository Information system" then Customer Enhancements .... Give the Function module name in the "Components" field and click Execute ....
  ull get a list of Enhancements related to that Componene....
  5. Choose which ever enhancement will suit ur business need ..
  6. Go to CMOD... create a project .... assign ur enhancement ... and then code ur logic.... activate ur enhancement in CMOD ....... Ur Buisness need will be solved...
  For a user exit......
  Finding whether there is any User Exit or not for tcode VA42
  1. For what ever transaction u want the user exit .. just check for the System-->status (menu) and find out the PROGRAM name.... ( The program name would be for our scenario "SAPMV45A" )
  2. Double click on to the program name and go inside the program (Abap editor)
  3. Search for the word "USEREXIT" .... u ll find all the user exits in the search result .. and find ur's then ...
  Hope this will help.
  Regards,
  Naveen.

• Authorization Groups and table TBRG

  In our system we have tables which are using custom authorization group ZEXC.  I am looking at this via SE11 Table Maintenance Generator or SE54 Assign Authorization Group.
  I can also see that it is assigned to roles by using SUIM -->Roles-->By Authorization values -->entry auth object (S_TABU_DIS) and click on entry values.
  What I am not seeing is that the authorization group is defined in table TBRG.
  So my question is....  An authorization group does not need to be defined in order to attach it to a table or assign it to a role?  If the authorization group was created then deleted is it still valid to have it attached to tables and roles?

  Hi Sharon,
  Assign the authorization to user and make it inactive mode.Then authorization will be deactived to tat particular user's.

• Autho. on program and tables

  Hi All,
  I have 2 question
  1. Is there any way to stop user from direct processing of programs.eg. There are many users who do not have access to SE38 to run any program, but they found a wayaround. They logon to R/3> System> Status> Double click on Programs> it takes you to the source code of the program--> Other Object and then can run any program --> And then Direct Processing....
  Is there any way to stop this and how. Please give me the steps and I am new to Autho.
  2. I have to give access to some users for some tables in transaction SM31. But only few tables?? ( might be Z tables also). Is there any way to give on access to sm31 and only mentioned table?
  Your reply is appreciated.
  Thanks
  Prash

  SAP already has a lot of standard authorization groups available for tables. These can be seen in SE54 trx or in the table TBRG for object S_TABU_DIS. The asociation between the auth group and the tables can be seen in table TDDAT. An example of such an association would be table T000 linked to auth group SS. So if you want to restrict people from changing/creating clients, remove the access for group SS from the S_TABU_DIS object in their roles.
  Now if you want to allow a user access to only some new Z-tables then the procedure would be -
  1. create a new auth group for S_TABU_DIS via SE54.
  2. modify table TDDAT to associate the required Z-tables to the Z-auth group.
  3. create a new role with SM30/31 and the object S_TABU_DIS and only add the new Z-auth group in field DICBERCLS.
  4. assign the role to the concerned user. (remember to remove other roles giving access to this object from the user first).
  For SE38, there can be two type of control - program display (code) access via S_DEVELOP and execution access via S_PROGRAM.
  S_PROGRAM control works on a principle similar to S_TABU_DIS.
  The field P_GROUP contains auth group values for programs which are maintained in the table TPGP.
  The association between the program and the program group can be maintained using the program RSCSAUTH. (this maintains the table SREPOATH).
  Hope this helps. Please award appropriate points.
  Regards,
  Sanju.

• Restrict Open / Close Posting Periods for Users (OB52 / S_ALR_87003642 )

  Hello everybody.
  I'd like to know if there is a way to restrict that some users open posting periods in OB52 or S_ALR_87003642 and some other different users close posting periods.
  Hoping you could help it, as our organization had that policy from our previous system,
  Best regards,
  Elvis E. Henriquez A.

  Hi
  Sorry, but I do not think that's possible in SAP Standard.
  OB52 / S_ALR_87003642 are build around a maintenance view for table T001B. This mean that the access primarily are controlled by the S_TABU_DIS (and S_TABU_LIN) object, and with these object's you can control access to maintain / display only, you can not control the values of the input data.
  I think that you will need to create your own application and authorization object in order to achieve your requirement.
  Regards
  Morten Nielsen

• Error with Maintenance Optimizer in Solution Manager 4.0

  Hi, I am configuring Solution Manager for download SP, I check marketplace and download the guide, when I try to download a SP following message show me:
  "Change requests cannot be displayed or created, because the RFC connection has errors, or is not maintained.
  Check whether the RFC connection to the Change Man agement system is under the key CHARM_DEST (APPLI field in the DESTINAT field), in the view BCOS_CUST. You need authorization for the cross-client view/table maintenance (S_TABU_DIS and S_TABU_CLI).
  Check the RFC connection in the transaction SM59. If your SAP Solution Manager system is also your Change Manager system, the internal connection must be 'NONE'. You need authorization for the administration of RFC connections (S_RFC_ADM)."
  I go to sm59, verify RFC SAP-OSS with correct data, I found at guide following Host :
  /H/54.16.44.50/S/sapdp99/H/54.62.200.35/S/
  When I try press Connection Test Buttom I can not connect to SAP.
  Do you know which can be my error? .....
  Regards.

  Hi,
  Following the note 1024932
  Steps to do before configre the maintance optimizer you need to configure sattilite systems in solution manager.
  go to SMSY and configre R\3 systems.For these systems you need to create RFC connections and Logical comp.
  http://service.sap.com/rkt-solman
  for tutors and PDFs how to set up MOPZ.
  Points if it helpfull
  Regards
  Neni

• DSWP   error in Solution manager

  Dear Sir,
  I solution manager during DSWP Support Package and Stack Inbox 
  Display Systems by:    
  System: All with Leading Role
  All
  Main Instance: All
  Software Component: All 
  Choose the filter button to activate the new filter settings 
  Maintenance Optimizer Maintenance Optimizer List  
  Change requests cannot be displayed or created, because the RFC connection has errors, or is not maintained.
  Check whether the RFC connection to the Change Man agement system is under the key CHARM_DEST (APPLI field in the DESTINAT field), in the view BCOS_CUST. You need authorization for the cross-client view/table maintenance (S_TABU_DIS and S_TABU_CLI).
  Check the RFC connection in the transaction SM59. If your SAP Solution Manager system is also your Change Manager system, the internal connection must be 'NONE'. You need authorization for the administration of RFC connections (S_RFC_ADM).
  No Systems Found 
  How u solve this one
  regards

  hI
  You missed some of the SPRO activities still i guess,
  In SPRO go to Scenario-Specific Settings-->Change Request Management -->Standard Configuration->Activate Integration with Change Request Management
  After this check in SM30 that view BCOS_CUST has the following entries:
  CHARM        W        NONE CUST620        1.0
  CHARM_DEST   W        NONE CUST620        1.0
  else you can manullay add the entries in sm30>Table/View->BCOS_CUST->Maintain>first column =CHARM_DEST, second =W, third=NONE, forth column =CUST620 , fifth Column 1.0
  same as for the entries
  CHRAM W NONE CUST620 1.0
  OSS_MSG W SM_<SYSID>CLNT100_READ CUST620 1.0
  and check the SAP-OSS and SAP-OSS-LIST-O01 connection also fine.
  you can refer this blog [/people/dolores.correa/blog/2008/07/26/first-steps-to-work-with-change-request-management-scenario|/people/dolores.correa/blog/2008/07/26/first-steps-to-work-with-change-request-management-scenario]
  Please check.
  Jansi

• No System Found in Maintenance Optimizer

  Hi,
  I have installed solution manager (ST 400 SP09) and did apply the relevant notes to setup the Maintenance Optimizer.
  I could able to see the “Maintenance Optimizer” button in Support Package and Stack Inbox.
  (Transaction SOLUTION_MANAGER> select the Solution->operation ->Change Management ->Support package Stack)
  But I found following message “No Systems Found” along with the following message
  Change requests cannot be displayed or created, because the RFC connection has errors, or is not maintained.
  Check whether the RFC connection to the Change Man agement system is under the key CHARM_DEST (APPLI field in the DESTINAT field), in the view BCOS_CUST. You need authorization for the cross-client view/table maintenance (S_TABU_DIS and S_TABU_CLI).
  Check the RFC connection in the transaction SM59. If your SAP Solution Manager system is also your Change Manager system, the internal connection must be 'NONE'. You need authorization for the administration of RFC connections (S_RFC_ADM).
  How do I proceed further? I wanted to see the Systems defined under SMSY transaction to be displayed here.
  Can any body help me by providing the exact steps define the systems in Maintenance Optimizer and how to sync the components defined under SMSY with MOZ?
  Regards
  Arati

  Hi Amit
  This doesn't resolved my issue.I am getting following message
  No entries exist, double-click for long text
  Message no. SV065
  Diagnosis
  No entries were found when importing data from the database.
  Procedure
  To create new entries, choose the function Edit -> New Entries.
  To recover deleted data, you must first display it with the function
  Select -> Display Deleted, and then discard changes with Ctrl. + F2 or
  the "Discard Change" button.
  Thanks
  Arati

• How To Configure 'SPRO' Can Display Only?

  Hi Gurus,
      In our ECC PRD circumstances. We need Display-Only authorization for Tx 'SPRO'.
  Do you have any good idea?
  Thanks!
  Jason

  Hi,
  Use the S_TABU_DIS and S_TABU_CLI authorization objects to assign the relevant authorization to the user.
  If you have created an IMG project, you can use transaction PFCG to create a suitable authorization for this IMG project. In transaction PFCG, you have the option of assigning one or several IMG projects. The corresponding authorization profiles are then transferred and can be defined as required.
  Create a new role for this in transaction PFCG. If you are processing the role, you can use the menu "Utilities -> Customizing authorizations" to assign the relevant IMG project and/or project views to the role. The role is then adjusted according to this selection.The user can then start the corresponding setting transaction from IMG.
  Regards,
  JP.

• Restrict HR tables

  Hi
  Could you pls tell me How to restrict HR tables in S_TABU_DIS and display all other
  thanks in Advance

  Hi Prasad,
  As I said, identify all the authorisation groups placed on the HR tables and make sure that these are <i>not</i> included in S_TABU_DIS for the normal users.
  Your HR team will tell you exactly which tables contain sensitive data.  All the tables that don't have an authorisation group assigned to them (you can see this in table TDDAT) should have an authorisation group assigned against them.  Not all HR tables are just in the H* and P* name spaces so you need to get the input from someone who properly understands the tables (you may be able to find a list somewhere here: SAP ERP Human Capital Management (SAP ERP HCM))
  This way you can split table access between Non-HR (They don't have any HR relevant table auth groups in S_TABU_DIS field DICBERCLES) and HR (They have access to the restricted auth groups).
  It's not a straightforward piece of work as access to tables via SE16 etc (I assume that's why you need to protect the data) is not designed for granular access without a considerable amount of additional work being involved.
  I hope that answers your question

• Authorizations for View Cluster

  Hello all,
  I need to maintain authorization for View cluster.
  Example : I have a view cluster say 'VC_TEST' , now I should have an authorization where other employees can only display it.
  Steps which I have followed:
  1. Assigned authorization object to the views of view cluster then created role for the object S_TABU_DIS and assigned all the activites (Create,Change,Display)
  2. Assigned user to the role
  But still other people can edit or maintain the view cluster.
  So could you please guide me.
  Thanks and regards,
  Anil

  HI,
  Reg:Authority Check object
  http://www.techrepublic.com/article/comprehend-the-sap-authorization-concept-with-these-code-samples/5110893
  Ram.

• No authorization for maintaining

  hi
  i am trying to enter the tcode VOFM system shows this massage
  Authorization for displaying table TFRM only (authoriz. grp VS)
  Message no. VP260
  Diagnosis
  You do not have the authorization for maintaining object S_TABU_DIS and the authorization group relevant for the table (maintained in table TDDAT).
  System Response
  No authorization for maintaining
  Procedure
  Enter the authorization for the object and the group in the user master record, if the user is to be authorized.
  help

  Hi sdnguna  ,
  when the message was displaed, use
  Menu system->ustilities->Display authorization Check.
  Send this screenshot to responsible team.
  Regards,
  Clemens

• Configuring Maintenance Optimizer issue

  Hi All,
  This is the first time I am configuring SM 4.0. I am done with installation, and want to conigure maintenance optimizer.
  I followed the IMG guide step by step.
  But after all done, there are no systems listed under the maintenance optimizer of my Solution Landscape.
  Instead I get a message:
  <b>Change requests cannot be displayed or created, because the RFC connection has errors, or is not maintained.
  Check whether the RFC connection to the Change Man agement system is under the key CHARM_DEST (APPLI field in the DESTINAT field), in the view BCOS_CUST. You need authorization for the cross-client view/table maintenance (S_TABU_DIS and S_TABU_CLI).
  Check the RFC connection in the transaction SM59. If your SAP Solution Manager system is also your Change Manager system, the internal connection must be 'NONE'. You need authorization for the administration of RFC connections (S_RFC_ADM).</b>
  Meanwhile I have issue with my J2EE engine not starting due to some UME issues, which I am working on parallely.
  Please do let me know what would be the issue.
  I have followed the note 990534 and doen with the BC sets.
  But I am not sure where am I making a mistake.
  One more doubt is, does maintenance optimizer connect to the SAP service market place through SAPOSS??? and am I not seeing anu system because my SLD is down. Please bear with my ignorance, I am a little lost here.
  I have completed the solution landscape, logical component, etc.
  Please help...
  Regards,
  Sapfan

  Hi JP,
  My current SP levels are:
  SAP_BASIS - 0011
  SAP_ABAP - 0011
  PI_BASIS 2005_11 - 0011
  ST-PI 2005_11 - 0003
  SAP_BW - 0011
  SAP_AP - 0007
  BBPCRM 5 - 0007
  CPRXRPM - 0007
  ST400 - 0010
  ST-ICO - 0008
  ST-SER - 0007
  The issue is I did not connect to SAP yet, as I have only one RFC generated i.e. SAPOSS> Since my SAPRouter is not yet configured, I will connect to a valid  SAPRouter once all the SM config is done.
  I als got sone error in generating RFC for the main system when I used the wizard. I selected Change management and customizing directory and also selected Assign RFC for system monitoring.
  I changed back the UME source to client 001, but still same.
  Moreover the maintenance optimizer is not showing the satellite system.
  I am really stuck.
  Please let me know if you require more information.
  I created the main system and defined the solution, as per the SPRO->Solution Manager -> Advanced Configuration -> Basic settings ->
  I started this only after applying SP10.
  Now I don see the systems both for Setup Solution monitoring and in maintenance optimizer.
  WIll the system not reflect is the java ebngine is down???
  Regards,
  P.K

• SOX related issue

  Hi,
  As per the SOx task we are getting users as per the the bleow:
  Run ABAP RSUSR002
  Transaction Code: SE16
  Authorization Object:
  1) S_TABU_DIS and values 02
  2) S_DEVELOP with value 01 02 06 07.
  I got users list,
  when I search roles by users (from the list which ever i got) with  the
  above authorization but I not getting any roles.
  Can you please suggest em to go a head.
  If they have access with any profile then how can we trace the profile from SUIM.

  Hello pravin,
  I suggest you to find the roles/profiles like that:
  Run ABAP RSUSR002 :
  fill the data like that: object 1- s_tcode-value-se16
  object 2 - s_tabu_dis activity 02
  object 3 - s-develop activity 01 or 02 or 06 or 07
  then you will get a role list where this sox problem exit.
  double-click on user assignment will show you the users with this sox problem.
  good luck.
  best regards,
  Haim Brauner