SM30 authorization

Hello all,
Is it possible to add an authorization object to a generated maintainance table view (to be used in sm30) so that the users can only see or add speficic entries to the table?
Thank you
Nuno Silva

HI,
do this way ... Go to Function Group source code Create a custom include and write the below custom code in a module
module check_autho.
* Authority Check
authority-check object 'M_RAHM_EKO'
 id 'EKORG' field 'ZMP18-EKORG'
 id 'ACTVT' field '01'
 id 'ACTVT' field '02'
 id 'ACTVT' field '04'
 id 'ACTVT' field '09'.
if sy-subrc <> 0.
 message e000(zz) with
 'You are not authorized to update ZMP18 table for Purchase Org.' zmp18-ekorg.
endif.
endmodule.
In the PAI of flow logic of that overview screen after module set_update_flag on change request write the below custom code
module set_update_flag on chain-request.
 endchain.
*Start
 chain.
 field zmp18-ekorg.
 module check_autho.
 endchain.
*End

Similar Messages

Controlling SM30

Hi Experts,
Can you guide me on how to have control over a table.
For example i have a table ZPP_PLANNING which contains my planning data and i am having 2 users ( USER1 and USER2 )
Now both the user have SM30 authorization and can maintain tables.
As per may requirement, the SM30 authorization should not be removed from both the user but only USER1 should be able to change and modify ZPP_PLANNING table. In case USER2 tries to modify the table he should not be allow to do so.
Is there any way out to get the above given scenario.
Warm Regards,
Mehul.

Hi Mehul,
You need to ontrol through authorization object S_TABU_DIS.
Read the below discussion.
how to use authorization group in SM30 | SCN
Thanks & Regards,
Ramagiri

Table maintenance Vs Maintenance view

Hi,
I would like to know the dif between T.Maintanance And Maintenance view.
As we know as per the def we know Maintenance view will be used to maintain a table. But I have never created any M.view for the same.
However we use Table maintenance generator and SM30 for the same. How these 2 concepts are differnet?
Which one is the best method 2 use?
what one step and two setp process? Advantage and usage of 2step process?
Thanks in advance.
PRa

Praneet
In SM30 we can enter values manually
main diff between these two is "Authorization"
in sm30 authorization for all users not allowed.
for extended table maintenance see this below link
http://help.sap.com/saphelp_sm40/helpdata/en/67/86b257415811d1893d0000e8323c4f/frameset.htm
Reward if usefull
Regards
Raghav

Cocode check at PBO and PAI

Hi
I should not allow Cocode AD01 records to update and Display when user has authorization for CoCode AD01.
i know in Event its possible, but we need to do it in PBO PAI of Screen.
PBO
*First statement
Module Authorictycheck.
Include LZXXXO01
module Authoritycheck
LOOP AT EXTRACT.
 AUTHORITY-CHECK OBJECT 'ZCHECK_BUK'
 ID 'BUKRS' FIELD ZTTL01-BUKRS.
 IF sy-subrc <> 0.
*delete the record from EXTRACT table.
Append Extract.
 ENDIF.
ENDLOOP.
endmodule
Does the above PBO code will work for display nonauthorized company code?
In PAI, No idea where to write and which table should i have to loop. Pls advice.
Regards
Prince

Hi
When the user tries to change the record in SM30, Authorization check
for the BUKRS has to be done and display error if no authority.
In PAI, under LOOP at Extract, i have added AUTHORITY_BUKRS module
and made below code. but the Authority check occurs when i click the edit button in SM30 screen.
but requirement is error should trigger only after change occurred for record.
Can you pls suggest how to handle this problem?
LOOP AT EXTRACT.
 MODULE LISTE_INIT_WORKAREA.
 CHAIN.
 FIELD ZXXXX-COCODE .
 FIELD ZXXXX-MATKL .
 MODULE SET_UPDATE_FLAG ON CHAIN-REQUEST.
 ENDCHAIN.
 FIELD VIM_MARKED MODULE LISTE_MARK_CHECKBOX.
 CHAIN.
 FIELD ZXXXX-COCODE .
 MODULE AUTH_CHECK_UPDATE. <-Added Module
 MODULE LISTE_UPDATE_LISTE.
 ENDCHAIN.
MODULE AUTH_CHECK_UPDATE INPUT.
Authority-check OBJECT 'Z_XXX_BUK'
 ID 'BUKRS' FIELD ZTAUTH-COCODE.
If sy-subrc <> 0.
MESSAGE E105(ZSCM01).
ENDIF.
ENDMODULE.
 Regards
prince
Edited by: princeck on Sep 16, 2011 3:33 PM
Edited by: princeck on Sep 16, 2011 3:42 PM

Excise Rejection Codes

Hi,
I have configured Excise Rejection code in Devolopment server. But its a non transportable object. For maintaining the same in Production server , authorization for SM30 is required. But SM30 authorization cannot be provided. Is there any other way of maintaining rejection codes in Production server.

hi
how u have created the codes in dev in similar way create in the production server
now if u have creatd through SM30 in dev server then go to SM30 give table and then click on find maintainance u will get the path
or click on customizing here u will get the path
or go to spro >Tax on Goods Movements>India>Business Transactions>Incoming Excise Invoices>Maintain Rejection Codes
hope it help
regards
kunal

Z Table which can be maintained in productional environment

How can i define a Z-table so that it is maintainable in production?

Create Table Maintenance generator for your Z table
Goto SE11 give ur table name then click Change
now goto Utilities and click Table Maintenance genrator .
Give Authorization Group,Function group and click Create icon to generate.
You need to provide SM30 authorization for the user for maintaining data in table.
Regards
Rajesh

SUIM security-audit checklist....

hello, i found a check list SAP security-auditing in SUIM. i searched some of them in internet but my mind confused.
i think it can be very helpful checklist for people working in SAP security-auditing.
if you have time, can you tell me please what these reports mean? with 1-2 sentences.
( i know they are a bit much but i think it can be realy good source for people wants to work in SAP security- auditing like me.)
Thank you very much
Regards..
SUIM--->>>>
1) S_TCODE = SM36,Authorization Object 1: S_BTCH_ADM = Y; Authorization Object 2: S_BTCH_JOB = * for Job Operations and * for Summary of jobs for a group; Additional selection criteria – Unlocked users only
2) S_TCODE = SM37; Authorization Object 1: S_BTCH_JOB JOBACTION = *; Additional selection criteria – Unlocked users only
3) S_TCODE = SM35; Authorization Object 2: S_BDC_MON1=*, Additional selection criteria – Unlocked users only
4) S_TCODE = SE18; Additional selection criteria – Unlocked users only
5) S_TCODE = SE19; Additional selection criteria – Unlocked users only
6) S_TCODE = SM69; Authorization Object 1: S_RZL_ADM= 01; Additional selection criteria – Unlocked users only
7) S_TCODE =SM49; Authorization object1: S_LOG_COM, COMMAND Value: #*; POSYSTEM Value: #*; R/3 Value: #* additional selection criteria: unlocked users only
8) Authorization object 1: S_RFC; RFC_TYPE: FUGR; RFC_NAME: #*; activity: 08; additional selection criteria: unlocked users only
9) S_TCODE = SECR;” “authorization object1: S_IMG_ACTV, Project no: 900; ACTVT = 02; IMG Value = #*” “authorization object2: S_PRO_AUTH Project no: 900 ACTVT: 03” “additional selection criteria: unlocked users only
10) S_TCODE=SU01: Additional selection criteria – Unlocked users only
11) S_TCODE=SU01; 2: Authorization object 1: S_USER_AUT; ACTVT Value=03 or 08” Additional selection criteria – Unlocked users only
12) S_TCODE=SU02; Additional selection criteria – Unlocked users only
13) S_TCODE=SU03; Additional selection criteria – Unlocked users only
14) S_TCODE=SU10; Additional selection criteria – Unlocked users only
15) S_TCODE=RZ10; Authorization object 1: S_DATASET, ACTVT Value = *; Authorization object 2: S_RZL_ADM ACTVT Value = 01 or 03; Additional selection criteria – Unlocked users only.
16) S_TCODE =SE16; Authorization object1: S_TABU_DIS, Authorization group = SC, ACTVT =02; Additional selection criteria: unlocked users only
17) S_TCODE = SNRO; authorization object1: S_NUMBER, Value = #*, ACTVT = 01, 02, 11; 3: Additional selection criteria – Unlocked users only
18) S_TCODE = SCC4; authorization object1: S_TABU_DIS Table Maintenance (via standard tools such as SM30), ACTVT = 01, 02, 03; authorization group = SS; Additional selection criteria – Unlocked users only
19) Authorization object 1:S_ADMI_FCD, Value: SP01 or SPOR; authorization object 2: S_SPO_ACT Value = ATTR (change attributes of protected spool request) or BASE (see protected spool requests in the output controller [determine whether the spool request exists], display request attributes) and DELE (delete request manually) or REPR (output protected spool request more than once); authorization object 3: S_TMS_ACT (Actions on TemSe objects); STMSOWNER Value = GRP (external TemSe objects in own) or OWN (own TemSe objects) authorization object 3 = S_TMS_ACT: Additional selection criteria – Unlocked users only
20) S_TCODE = SCCL; authorization object 1: S_CLNT_IMP, Activity = 21, 60; authorization object 2: S_TABU_CLI, Cross Client Indicator = #*; Additional selection criteria – Unlocked users only
21) S_TCODE = SCCL; authorization object 1: S_CLNT_IMP, Activity = 21, 60; authorization object 2: S_TABU_CLI, Cross Client Indicator = #*; Additional selection criteria – Unlocked users only
22) S_TCODE =SM31;” “authorization object 1: S_TABU_DIS, ACTVY =01,” authorization object 2: “S_TABU_CLI CLIIDMAINT =x”: “additional selection criteria: unlocked users only
23) S_TCODE =SM30;” “authorization object 1: S_TABU_DIS, ACTVY =01 or ACTVY =02,” authorization object 2: “S_TCODE =S_TABU_CLI, CLIIDMAINT =x”: “additional selection criteria: unlocked users only
24) Authorization object 1: “S_TCODE =SA38 or SE38;” “2: authorization object S_PROGRAM Value =SUBMIT: “additional selection criteria: unlocked users only
25) S_TCODE =SA38 or SE38;” “2: authorization object S_PROGRAM Value =SUBMIT: “additional selection criteria: unlocked users only.
26) Authorization object 1: S_TRANSPRT Value = 43
27) S_TCODE = SE01; authorization object 1: S_TRANSPRT Value:1, 2; authorization object 2: S_DATASET Actvt: 06,33,34
28) S_TCODE = SE03; authorization object 1: S_TRANSPRT Value: 06,43 ; authorization object 2: S_CTS_ADMI Value: TABL
29) S_TCODE = SE10; authorization object 1: S_TRANSPRT Value: 01, 02; authorization object 2: S_DATASET Value: 06, 33, 34.
30) S_TCODE = SCC4; authorization object 1: S_CLNT_IMP Value: 21, 60: Additional selection criteria – Unlocked users only
31) S_TCODE: SM12; authorization object 1: S_C_FUNCT Value = *; activity value = 16; authorization object 2: S_ENQUE; S_ENQ_ACT Value = *.

i want to learn what all these authorization objetcs stand for. 1,2,3,4... because each one asks a different report..
for example, lets talk about first one.
1) SUIM----> S_TCODE = SM36,Authorization Object 1: S_BTCH_ADM = Y; Authorization Object 2: S_BTCH_JOB = * for Job Operations and * for Summary of jobs for a group; Additional selection criteria – Unlocked users only
in this report. why does it ask this? what does it mean to to choose S_BTCH_ADM to Y ,S_BTCH_JOB, to * and choosing ..or Job Operations and * for Summary of jobs for a group; Additional selection criteria – Unlocked users only..
i wonder this. why is this report it important and what does it ask?
Thank you for your messages.

Problem displaying authorization Table SM30

Hi all
Hi
I am working on finding SAP Authorization object in ECC 6.0. When I went to Table SM30-- TSTC, I get the following message.
View/Table TSTC can only be displayed and maintained with restrictions
Can anyone please let me know How do I fix this problem. Or is there any other table that gives the information about authorization objects.
Thanks everyone.

se11 gives info about authorisation objects and how to create them
sm30 is for maintaing tables. SAP tables are normally not accessed with sm30
if you want to view the fieldvalues from a table use tcode se16n instead
and if it is a z table look in se11 in the table structure about the restriction on the table
kind regards
Reward if usefull
arthur de smidt
Message was edited by:
A. de Smidt

Want Authorization for SM30 in particular table

Hi friends,
i am created a ztable and also created table maintanence generator.
now my problem is, i want to Authorization for SM30 in particular table.
Thanks & Rgards,
Vallamuthu.M

Hi this will help u.
In general different users will be given different authorizations based on their role in the orgn.
We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
USe SUIM and SU21 T codes for this.
Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
This means you have to allocate an authorization object in the definition of the transaction.
For example:
program an AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT <authorization object>
ID <authority field 1> FIELD <field value 1>.
ID <authority field 2> FIELD <field value 2>.
ID <authority-field n> FIELD <field value n>.
The OBJECT parameter specifies the authorization object.
The ID parameter specifies an authorization field (in the authorization object).
The FIELD parameter specifies a value for the authorization field.
The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
You program the authorization check using the ABAP statement AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
ID 'ACTVT' FIELD '02'
ID 'CUSTTYPE' FIELD 'B'.
IF SY-SUBRC <> 0.
MESSAGE E...
ENDIF.
'S_TRVL_BKS' is a auth. object
ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
This Authorization concept is somewhat linked with BASIS people.
As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
Take the help of the basis Guy and create and use.
Sy-SUBRC values
4 User has no authorization in the SAP System for
 such an action. If necessary, change the user
 master record.
8 Too many parameters (fields, values). Maximum
 allowed is 10.
12 Specified object not maintained in the user
 master record.
16 No profile entered in the user master record.
24 The field names of the check call do not match
 those of an authorization. Either the
 authorization or the call is incorrect.
28 Incorrect structure for user master record.
32 Incorrect structure for user master record.
36 Incorrect structure for user master record.
with regards,
Hema Sundara.
pls reward if u find it helpful.

SM30 Field level authorization check

Hi,
I have a requirement to add the authorization check in SM30 for the company field in the custom table. Please suggest.
Thanks,
Gagan Chodhry

Hi,
I have this requirement for both type of tables i.e. custom as well as standard. Tables has got field profit center.. I need to show the table based on the loggedin user authorization to the profit center.
If it is a custom table then as mentioned by Siva, there is a way I heared that we can check the authorization in PAI event, but when I tried to do a small test, I could get the field symbol with the values, but I was not able to skip that record for disply.
If anyone can send the sample or the way to skip the record based on the check.
Also is there any other way to add the field level authorization to custom and standard tables...
Thanks,
Gagan Chodhry

Authorization check - Lvel: Program/Tcode - report/SM30/odr

How do we identify if an authority check should be given
1) at the Program(Report) level or
2) at the T-code level itself?
Is there any other level we can do it?
For SM30s / tablemaintenances, how do we do it?
Suppose we have a T-code with SM30 for a table having fields including 'PLANT'. Now if we want to restrict the users to have access to specific plants, where should we put the check - in the Tcode?
say - usergrp1 - plant1
usergrp2- plant 2
etc.
How do we design this scenario?
How is authorization for report and others different?
Do we need to include S_TABU_CLI authorization object? what is its use?

> For SM30s / tablemaintenances, how do we do it?
>
> Suppose we have a T-code with SM30 for a table having fields including 'PLANT'. Now if we want to restrict the users to have access to specific plants, where should we put the check - in the Tcode?
> say - usergrp1 - plant1
> usergrp2- plant 2
> .
> .
> etc.
> How do we design this scenario?
This can only be achieved with a bespoke program in which authority-check statements are programmed at the right point. SM30 will not allow such granularity.
> Do we need to include S_TABU_CLI authorization object? what is its use?
This object is used to shield cross-client tables. Not needed here.

Authorization to use SM30 for Ztable.

Dear All,
 I created Table maintenance generator for a 'Z' table. As the user doesn't have authorization for SM30 in the P-system i created Parameter transaction. i am using CALL TRANSACTION statement to use the table. Still i am not able to use it.
Table maintenance generator technical details :
 Authorization groups - Blank (&NC&)
 Authorization object - S_TABU_DIS.
Do i need to assign any roles to the user? How to do it?
Is there any other way to do?
Please give me your valuable suggestion.
Thank you.
Regards,
Ramesh

You can creat a program and assign TCODE choosing teh second option.
Then u can maintain.
REPORT ZTEST MESSAGE-ID zv.
CALL FUNCTION 'TABLE_CUSTOMIZING_MAINTENANCE'
 EXPORTING
 tabname = 'ZTEST_TAB'
 EXCEPTIONS
 no_views = 1
 OTHERS = 2.
IF sy-subrc <> 0.
MESSAGE e999(zv) WITH 'Cannot generate table maintenance screen'.
ENDIF.
Pass the table name.
Now create a TCODE for this program now u cna maintain without going to SM30.
Rearsd points if this helps.

Unable to edit maintenance view in SM30

hi everyone.
need your help, I have one custom table, let's call it YTAB. This table has several maintenance views created for it, depending on company code. For YTAB, i have created a maintenance view YTABX.
When we moved YTABX to PRD, we cannot edit it in SM30. The user ID has the right authorization. The error message is "client 100 not modifiable". When I try to edit the mother table YTAB in PRD, I am able to go in and do the changes.
I have already compared the settings for YTABX with the other existing views, they are the same. My settings for the view are:
Access: Read, change, delete & insert
Delivery Class: C
In the table maintenance generator, i have a 2-step maintenance type, recording routine is Standard recording routine and compare flag is automatically adjustable.
Attributes for table YTAB also has delivery class C, table category is transparent table, table maintenance is allowed.
Thank you in advance.

Hello roch,
the direction in which mark points is right but i think you should get some more information on the principles of table types and sap system landscape.
Usually you should not be able to directly maintain any table. This is not only bad style but also a huge risk for the system consistency. That's why application data is always maintained via some kind of application which ensures that the data is vilidated before it is stored.
Customizing data should only be maintained within a development system and then transported through the landscape. To maintain these table you can use generated views, customer developed maintenance views, view clusters which all include automatical link to the transport system. If you would maintain these tables directly in the productiion system it would have another configuration than the development and the quality/test system which makes them more or less useless as you can no longer make any serious test if the server configurations differ.
To prohibit changes of customizing tables on production and test servers the admins lock the systems which results in the message you got. This setting is made in TCODE SCC4. Even if you have for any reason the authorization to use this transaction you should in no case change these settings without approval of basis / system owner.
Kind Regards
Roman

BW Authorization and setting issue to set up a BICS connection for Xcelsius

We are trying to create a BICS connection with Xcelsius on our BW production system and would like to know what the minimal settings should be to be able to publish and run an Xcelsius dashboard. We have been able to make a BICS connection with Xcelsius and publish and run/launch the dashboard on BW development. BW Development is completely open; there are no restrictions on the settings. But of course we cannot open our production like this. We have tried to open our BW test according to the SAP NetWeaver How to Guide: How to... Create Authorization Objects Required to Work with Xcelsius Dashboards in SAP BW. We have done the following:
First of all we get the following message when saving a Xcelsius file to BW, when all the settings are equal to the production settings (not modifiable):
! The specified technical name is not valid for the permitted namespace
!     R7     063     Namespace u2018/BICS/u2019 must be set to u2018changeableu2019 (transaction SE06)
After that we changed the settings on our BW test environment to modifiable by doing the following steps:
1.     SCC4 (System temporarely open; after changing the system change options by SE06; the system will be closed again)
2.     SE06 (Namespace /BIC/ to modifiable)
After that when trying to do the same thing as before, saving the Xcelsius file to BW, we get the following error message:
! The specified technical name is not valid for the permitted namespace
!     R7     017     Namespace u2018u2019 is not a valid BI namespace
And also this message:
Diagnosis
Namespace u2018u2019 must be entered in both the BI table RSNSPACE and the basis table TRSNSPACE or the view V_TRNSPACE. You also have to enter the relevant generation namespace u2018&V2u2019 in table TRNSPACE. This value is taken from RSNSPACE.
Both namespaces must be set to u2018Changeableu2019 u2013 providing they are not empty.
System Response
You cannot edit or create an object in this namespace.
Procedure
Use a different name.
Or contact your system administrator. He/she can switch the namespace to u2018Changeableu2019 using transaction SE06, or - if they do not already exist - enter them in the table named above using transaction SM30.
If the namespace u2018&V1u2019 is empty, then the problem is with the generation namespace u2018/BIC/u2019.
Procedure for the System Administrator
Following this error message:
X    System is not set to changeable u2013 objects are not changeable
When everything is set to modifiable and the BW test environment is fully open, we are able to publish the Xcelsius file to BW and the dashboard can be run on the BW data.
What we would like to know what the minimal settings should be to be able to publish and run/launch the Xcelsius dashboard without completely setting the production setting open. And what are the other consequences of adjusting the BW production settings; any drawbacks?

Hello,
goto transaction RSA1 – transport Connection – button « Object Changeability » - in the list please switch ligne XCLS as « Changeable ».
Hope that works
Best regards
Arno

Maintenance view problem "No data maintenance Authorization; Display only"

Maintenance view problem
Question 1>>>>
> I have created a table with Display/maintenance allowed and technical setting Data class - APPL0 (master data, transparent tables).
>> Then I have created a maintenance view thought utilities->table maintenance generator where i have specified the Authorization group as &NC& (w/o auth. group)
->and also created a function group and specified in the maintenance screen-> I have selected maintenance type as one step-> i have given the overview screen number->and in Recording routine i have selected - no, or user ,recording routine.
>>> Now when i go to transaction SM30 and put the table name and press on maintain button I get a information box saying "No data maintenance Authorization; Display only".... and it only displays the data.
my problem is I want to enter data through maintenance view (SM30).
2nd Question >>>> once i create a function group for maintenance view how can i assign a transaction for this. (as if i do it as we do for a module pool program it gives me error)Thank you.
kailash

SE93. Enter a transaction name. Create. In the pop up enter a title and select 'Transaction with parameters'.
Next screen fill the following;
Transaction 'SM30'
Check 'Skip first screen'
In the table control at the bottom of the screen
Name of screen field 'VIEWNAME'
Value <your table name>
Name of screen field 'SHOW'
Value 'X'
Save.
Job done.

SM30 authorization

Similar Messages

Maybe you are looking for