What is authorisation object  in table maintanance generator

Hi,
what is authorisation object and authorisation group in table maintanance generator
can u pls let me know what are these??  and y do we need these?
Thanks in advance
Rama

hi,
Access to the transactions SM30 and SE16 is often regarded as a security risk on productive system. But with the right use of the authorization object S_TABU_DIS and the rarely used S_TABU_LIN, this isn’t so.
With S_TABU_DIS you have the option to control access to groups of tables, and you have the option to distinguish between Update and Display access. If you don’t want to give access to an entire table group, it’s quite easy in transaction SE54 to create a new authorization group and to reassign one or more tables/view to this group, thus achieving control of access to these specific tables.
If you’re anxious about giving access to an entire table group, due to the fact that some tables have an open interface which allows table maintenance even in transaction SE16, the check this report – developed and posted to the SAP Fans security forum by John A. Jarboe.
With the authorization object S_TABU_LIN you can even go a step further and control access to a table on record level, based on the key fields of the table. You can find an overall presentation of the object here.
The How-To guide below will demonstrate how to set up and use this authorization object.
The example is based on a small table ZMYTABLE. I have created a maintenance view and parameter transaction based on SM30 around this table.
Please notice that the parameter transaction is calling SM3o in update mode.
If the object is to be used with SE16 you’ll need to implement OSS note 763269.
S_TABU_LIN Customizing
We can find the customizing entries in the IMG under SAP NetWeaver à Application Server àSystem Administration àUsers and Administration à Line-oriented Authorizations.
First we need to define the organizational criteria’s. 
In here create new criteria by pushing the “New entries” button.
In this example we will like to control access based on the key field Country, in order to do so create a criteria called Z_Country_Grp, with the name Country Grp. If we flag the table-ind flag the criteria will affect maintenance of all tables whose key fields are related to the domains specified in the attribute later.
In this example we only want to control the access to the specific table ZMYTABLE – so we will leave it blank
Save the entry and assign it to a transport request.
Now mark the created line and switch to attributes
Create a new entry with the data shown below.
Save it and assign it to the transport request.
Notice that you can have up to 8 organizational criterion attributes.
Now we need to assign a table and a field to our attribute
In order to do so mark the attribute and switch to Table Fields
In here create a new entry and assign, in this example, the table ZMYTABLE, and the field name country to the attribute.
Please notice that only Key fields can be used !
Save and assign to transport request
Now we are ready for activating our organizational criteria – this is the second bullet in the IMG
Just check the active flag and the check is activated.
Incorporate the authorization object in a role
We have now implemented the authorization check; next step is to implement it in the required roles.
In this example I have created a parameter transaction – ZMYTRANSACTION - using SM30 around the table ZMYTABLE. I have create a small test role ICC_TEST, including only the transaction ZMYTRANSACTION, and a few “support” transactions.
In the authorization part – I have inserted the object S_TABU_LIN manually – (best practice is of course to assign it in SU24), but a manual insert will also do the trick J
Now when we change one the authorization fields by pushing the pencil – the profile generator will ask us for the criteria.
Here we chose the Z_COUNTRY_GRP criteria that we have created.
We’ll now get the following popup, in this case we will grant change access, so we choose 02 – Change for activity
In the list below we’ll see the Organizational Attributes that we have created – we have the option to use up to 8 attributes – in the example we had only defined one attribute – “Country Grp”  - we assign the value DK – thus only granting access to records with DK in the key field country.
To transfer the selection back to the profile generator press th transfer button  or press F5.
Now we just need to generate the profile and assign it to a test user.
Now when this test user signs on to and executes the transaction only entries for Cty DK is displayed.
If the transaction is executed by a user with SAP_ALL all records are displayed,
Important Links For u:[http://www.sapsecurity.co.uk/sap-authorisation-objects.html]
Thanks And if helpful please reward points

Similar Messages

  • Table maintanance generator.........

    Hi,
    I heard that client will be able to access ztable through tablemaintanance generator(tmg).so What operations the client  can be done in tmg for the ztable purpose.
    Plz provide me any exact answers.
    i ma posting this questn after completn of search from sdn fourm.
    Regards
    pavan

    Hi,
    He can enter the new values or he can change the Existing values.
    For the details:
    table maintanance Generator is used to manually
    input values using transaction sm30
    follow below steps
    1) go to se11 check table maintanance check box under
    attributes tab
    2) utilities-table maintanance Generator->
    create function group and assign it under
    function group input box.
    also assign authorization group default &NC& .
    3)
    select standard recording routine radio in table
    table mainitainence generator to move table
    contents to quality and production by assigning
    it to request.
    4) select maintaience type as single step.
    5) maintainence screen as system generated numbers
    this dialog box appears when you click on create
    button
    6) save and activate table
    http://help.sap.com/saphelp_nw04/helpdata/en/cf/21ed2d446011d189700000e8322d00/content.htm
    http://help.sap.com/saphelp_46c/helpdata/en/a7/5133ac407a11d1893b0000e8323c4f/frameset.htm
    /message/2831202#2831202 [original link is broken]
    One step, two step in Table Maintenance Generator
    Single step: Only overview screen is created i.e. the Table Maintenance Program will have only one screen where you can add, delete or edit records.
    Two step: Two screens namely the overview screen and Single screen are created. The user can see the key fields in the first screen and can further go on to edit further details.
    EVENTS:
    http://help.sap.com/saphelp_nw70/helpdata/EN/91/ca9f0ea9d111d1a5690000e82deaaa/frameset.htm
    Regards,
    Shiva Kumar

  • What is authorisation object?

    hi gurus,
    what is authorisation object in bw?
    thnaks in advace
    srinivas

    Hi Srinivas,,
    check out this sap help...
    http://help.sap.com/saphelp_nw04/helpdata/en/52/6715e3439b11d1896f0000e8322d00/frameset.htm
    check out this thread as well....
    /thread/267505 [original link is broken]
    check this
    http://help.sap.com/saphelp_nw2004s/helpdata/en/ce/17533e5ff4d064e10000000a114084/frameset.htm
    S_USER_AGR
    Authorization system: Check for roles
    This authorization object protects roles. The roles combine users into groups to assign various properties to them; in particular, transactions and authorization profiles.
    You can use this authorization object together with the authorization objects S_USER_GRP, S_USER_AUT, S_USER_PRO, S_USER_TCD, and S_USER_VAL to set up a distributed user administration.
    S_USER_TCD
    Authorization system: Transactions in roles
    This authorization object determines the transactions that an administrator can assign to a role, and the transactions for which he or she can assign transaction authorization (object S_TCODE).
    Note that a user can only maintain ranges of transactions for the S_TCODE authorization object in the Profile Generator if he or she has full authorization for the S_USER_TCD authorization object. Otherwise, he or she can only maintain individual values for the S_TCODE object.
    S_USER_TCD
    This authorization object determines the transactions that an administrator can assign to a role, and the transactions for which he or she can assign transaction authorization (object S_TCODE).
    A user can only maintain ranges of transactions for the S_TCODE authorization object in the Profile Generator if he or she has full authorization for the S_USER_TCD authorization object. Otherwise, he or she can only maintain individual values for the S_TCODE object.
    so it gives authority to assign transaction to other users.this object in should be present in role which is assignes to administrator
    You cannot make a key figure as authorization relevant but while creating an authorization object you can inculde 1KYFNM object which serves as Authorization object for key figures.
    Hope this helps you
    ****Assign Points If Helpful****
    Regards,
    Ravikanth

  • How to make use of Table Maintanance Generator?

    PLs sany one can explain me how to maek use of Table maintanance Generator?
    Regards and cheers,
    Giri

    Hi,
        table maintainence Generator is used to manually
        input values using transaction sm30
        follow below steps
       1) go to se11 check table maintanance check box under
          attributes tab
       2) utilities-table maintanance Generator->
          create function group and assign it under
          function group input box.
          also assign authorization group default &NC& .
       3)
        select standard recording routine radio in table
        table mainitainence generator to move table
        contents to quality and production by assigning
        it to request.
       4) select maintaience type as single step.
       5) maintainence screen as system generated numbers
          this dialog box appears when you click on create
         button
        6) save and activate table
       using sm30 you can create entries manually.
    also check below thread to assign transaction code to
    table generator
    /message/240993#240993 [original link is broken]
    0#2409930  
    Regards
    amole

  • Query in Table Maintanance Generator

    Hi,
    I have a query in table maintanance generator. In tables Extract and Total we have all the entries. Is it possible to get the entry which we made in the record. I mean i need the record in this i made the changes. I cant use above tqo tables because special characters are coming. Any body can suggest.
    Regards,
    Maheedhar

    Maheedhar,
    You will have to modify the program/code that was generated from the table maintenance generator to fit your requirements. 
    You can accomplish this by digging through the transport that you created, or by debugging through SM30 when you add a new entry or hit the save button.  You should be able to find a place to add your custom logic.
    Note:  If you modify this code, anytime in the future if someone re-generates this table maintenance, your custom code will be over-written.
    Thanks,
    David

  • Regarding Changing data in Table Maintanance Generator

    hi all,
        I Created one Z Table for Five fields Sales District( BZIRK) , Sales District Description (BZTXT) , Vendor No , Vendor Name and Person Incharge. I Created Table Maintanance Generator for five fields.
        In my ZTable after giving Vendor No when i enter Vendor Name is coming automatically and record is Created.For these i used Event No 5.
    When i am going again and When I change Vendor No When I Press enter Vendor No is not coming automatically. 
    Which Event Should i use.
    How can i achieve this . Plz send detailed process.
    Please suggest.
    Regards
    Rami

    Hi,
    Please eloberate u r question. and give some code.
    Regards,
    Nandha

  • Events in Table maintanance generator

    Hi All,
        Iam creating the events in the table mainatanance generator.
       My requiremnt is : I need to validate the non-key field. If i give an erro message the field is going to dispaly mode.so i tried to give an warning message dispaly like error. But after user re enters the value , i couldn't handle the value in that field.
    i could not find the event which will trigger after  the entering the value.
    Please help me.
    Thanks in advance.
    Kiran Kumar.

    Hi Kiran,
    The following is a very useful PDF link about IMPLEMENTING EVENTS IN TABLE MAINTENANCE which should solve your problem
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/abap/how%20to%20implement%20events%20in%20table%20maintenance.doc
    table maintanance Generator is used to manually
    input values using transaction sm30
    follow below steps
    1) go to se11 check table maintanance check box under
    attributes tab
    2) utilities-table maintanance Generator->
    again from the MENU
    ENVIRONMENT->MODIFICATION->EVENTS
    you can find different events for this Table mainteance
    create function group and assign it under
    function group input box.
    also assign authorization group default &NC& .
    3)
    select standard recording routine radio in table
    table mainitainence generator to move table
    contents to quality and production by assigning
    it to request.
    4) select maintaience type as single step.
    5) maintainence screen as system generated numbers
    this dialog box appears when you click on create
    button
    6) save and activate table
    http://help.sap.com/saphelp_nw04/helpdata/en/cf/21ed2d446011d189700000e8322d00/content.htm
    http://help.sap.com/saphelp_46c/helpdata/en/a7/5133ac407a11d1893b0000e8323c4f/frameset.htm
    /message/2831202#2831202 [original link is broken]
    One step, two step in Table Maintenance Generator
    Single step: Only overview screen is created i.e. the Table Maintenance Program will have only one screen where you can add, delete or edit records.
    Two step: Two screens namely the overview screen and Single screen are created. The user can see the key fields in the first screen and can further go on to edit further details.
    chk this link
    http://help.sap.com//saphelp_470/helpdata/EN/a7/5133ac407a11d1893b0000e8323c4f/frameset.htm
    Reward if it helps..
    Regards,
    Omkar.

  • What is the purpose of TABLE MAINTENANCE GENERATOR IN ABAP DDIC

    CAN ANY EXPLAIN ME
    1.what is the purpose of TABLE MAINTENANCE GENERATOR IN ABAP DDIC?
    2. AND THE CONTENTS IN ITS TABS.
    KINDLY LET ME KNOW.IT IS URGENT
    <REMOVED BY MODERATOR>
    Edited by: Alvaro Tejada Galindo on Feb 28, 2008 11:42 AM

    Go to SE11, give the table name and click on change. Then Go to utilities--> Table maintenance generator.
    In the table maintenance generator screen, we should give Authorization Group, Function Group name (Function Group name can be same as table name), Maintenance type can be one step or two step, usually we will create with one step. we should give maintenance screen number. After clicking on create button, a table maintenance generator will be created.
    To check it go to SM30 . In SM30, we find display, Maintain options.
    We can view the table contents by choosing Display and we can create table entries by choosing Maintain.
    Why we have to go for Table maintenance generator, when we can edit the table by SE16 or SE11, utilities->create entries?
    In the production system, end-users will not be having access to transaction codes like SE11 and SE16. Developers will not be having access to many transaction codes including the above two.
    To view the contents of the database table, we will use SE16n in Production system. Please find out the difference between SE16 and SE16n.All these authorizations will be maintained by BASIS team, by creating access profiles.
    So in order to edit or create the contents of a database table, we should go for table maintenance generator. In real time, authorizations will be maintained in production system. (even in development and Test systems to some extent).
    There is an audit like Sarbanes-Oxley Act for American clients, where every thing will be audited by government agency. To know more about SOX, use the links on the right hand side of this page.
    The second reason is, we can edit or create multiple entries at a time, using table maintenance generator.
    Apart from that we have options like 'Enter conditions' in table maintenance screen SM30. Please try to find out the use of those, by creating an example.Table Maintenance generator: Difference between one step and two steps.
    While creating table maintenance generator, we find below options:
    1. When we choose one step, we have to give the screen number in Overview Screen field.
    2. When we choose two step, we have to give both overview screen number and single screen number.
    You can give any number for screen. Don’t give 1000 screen number. As this number is reserved for selection screen.
    When we choose two step, two screens will be created for table maintenance. For single step only one screen will be created.
    When we choose two step, table maintenance will work as follows:
    Go to SM30, give the table name for which you have created table maintenance-
    Overview screen will be displayed. To create entries, when you click on ‘new entries’.
    Another screen will be displayed, where you give input and save.
    You can enter one record at a time.
    We use single step generally, as it is user friendly.
    To completely understand the difference and above points please do exercise by creating table maintenance generator in both ways (using single step and two step).
    <REMOVED BY MODERATOR>
    regards,
    Balaji
    Edited by: Alvaro Tejada Galindo on Feb 28, 2008 11:42 AM

  • Reasign authorisation group at table maintenance generator

    Hi All,
          I have a table, assigned with authorisation group as &NC&. Now I need to change to authorisation group created newly.
    If i change with newly created authorisation group in table maintenance generator level.
    My Qus:1. Need to generate the table maintenance generator for this again.
    2. Will it affect the users assigned to authorisation group.
    3. Wht i need to do to change this, and wht are its effects if i change the authorisation group.

    Hi,
    If the user is not assigned for the role he has to be assigned for that role.
    one role is assigned to authorization group.
    basis consultants will add the role of that group to that particular user.
    otherwise he cant change the entries of the table.
    so consult basis consultant for security role assignment.
    Thanks
    Parvathi

  • Regarding Table maintanance generator

    Hi friends,
    I have the problem with Table maintanance generator. I have created table maintanace generator for Ztable and moved it to the Quality, Production.
    But in Quality and Production It is not allowing to create the entries. It is saying non modfiable.
    Please reply.
    Thanks & Regards,
    K. Kishore

    Hi again,
    1. But when i am saving it asking for request.
    Yes, u are right. It will ask for a request.
    2. Create a request.
    3. Also do not forget to re-generate the table maintenance.
      (At that time also it will ask for request)
    4. Transport the request to QA and PRD. It will work fine then.
    regards,
    amit m.

  • What is the use of table maintance generator and how it is used ddic

    hi dear friends
      i would like to know about how the table maintaience generator is used in ddic .i have the step by step processor of that but i would like to know importance and advantages of it .

    Nani,
      With the help of the table maintenance generator, you are able to maintain the ENTRIES of the table in SM30 transaction.
    It can be set in transaction SE11 - Tools - Table maintenance generator.
    Table maintanance Generator is used to manually input values using transaction sm30
    follow below steps
    1) go to se11 check table maintanance check box under attributes tab
    2) utilities-table maintanance Generator-> create function group and assign it under
    function group input box. Also assign authorization group default &NC& .
    3) select standard recording routine radio in table table mainitainence generator to move table
    contents to quality and production by assigning it to request.
    4) select maintaience type as single step.
    5) maintainence screen as system generated numbers this dialog box appears when you click on create button
    6) save and activate table
    One step, two step in Table Maintenance Generator
    Single step: Only overview screen is created i.e. the Table Maintenance Program will have only one screen where you can add, delete or edit records.
    Two step: Two screens namely the overview screen and Single screen are created. The user can see the key fields in the first screen and can further go on to edit further details.
    SM30 is used for table maintenance(addition or deletion of records),
    For all the tables in SE11 for which Table maintenance is selected , they can be maintained in SM30
    Sm30 is used to maintain the table ,i.e to delete ,insert or modify the field values and all..
    It creates the maintenance screen for u for the aprticular table as the maintenance is not allowed for the table..
    In the SE11 delivery and maintenance tab, keep the maintenance allowed..
    Then come to the SM30 and then enter the table name and press maintain..,
    Give the authorization group if necessary and give the function group and then select maintenance type as one step and give the screen numbers as system specified..
    Then create,,,
    Then u will able to see the maintenance view for the table in which u can able to insert and delete the table values...
    We use SM30 transaction for entering values into any DB table.
    First we create a table in SE11 and create the table maintenance generator for that Table using (utilities-> table maintenance generator) and create it.
    Then it will create a View.
    After that from SM30, enter the table name and Maintain, create new entries, change the existing entries for that table.
    For further help look into these links
    http://help.sap.com/saphelp_46c/helpdata/EN/cf/21eb6e446011d189700000e8322d00/frameset.htm
    http://help.sap.com/saphelp_bw30b/helpdata/en/69/c2516e4ba111d189750000e8322d00/content.htm
    Table
    Don't forget to reward if useful.....

  • How to find the TCODE that is created for the table maintanance generator

    Hi ,
    How to find the TCODE that is created for the table maintanance generator of particular table,if we only know the table name.
    Regards
    Ramakrishna L

    Hello,
    I try it this way
    1. Goto SE16 --> enter table TSTCP.
    2. In the selection-screen displayed, enter
    PARAM = *<ZTABNAME>*
    You will get the t-code for the TMG.
    BR,
    Suhas
    PS: Are you sure a t-code has been created for this TMG ?

  • How to create Transaction code for Table Maintanance generator.?

    Hi,
    I have created a Z Table. and I maintained the Table maintenance generator for the same. Now, my requirement is.. I have to create Transaction code for maintain and Display of this Z table.
    Can someone help me how to create the transaction code for Maintain and Display of the table. I know that we have to create a Transaction code for 'SM30'. Can someone tell me the steps to do the same. When I goto SE93 and say CREATE transaction, I get 5 options, Which one to select and what are the details should I provide in the subsequent screens.
    Thanks in advance.
    Best Regards,
    Paddu,

    Hi,
         Check the below steps......
    1. Go to Tcode u2018se93u2019.
    2. Select ' Transaction with parameters'.
    3. Then Transaction 'SM30' with click on skip initial screen
          VIEWNAME : XXX9tABLE NAME)
          UPDATE   : X
    4. Maintain the  Table maintenance generator
      Authorization group : &NC&
      Authorization object :
      Function group : name(xxx)
    Maintenance Screens :
    Maintenance type : One step
    Maint Screen No : Overview screen (2)
    If still u have problem I will send u steps with Screen shot ...send me Yr id.
    Regards,
    Biswanath

  • Authorisation object on table

    Hi,
    I have a z table with table maintenance generator in which company code, plant, storage location , material, quantity are the fields.
    Now i want to provide the authorisation object on the table using the companycode field.How can i do this?

    the table maintenance generator will have created a function group with the name of the table (default). go to SE56 (name of the table -> display) click on button Fn.Gr.Text, next button Main program -> in the bottom part of that function group you will find a section named
      User-defined Include-files (if necessary).                    *
    you can code your authority check there ...

  • How to get our own F4 help in table maintanance generator

    hi all,
    i developed a table maint generator.
    in this i have 3 fields out of three there is a field called subtype. for this i ahve to create f4 help for this. foir this field i have to display two descptions calles' sub type1 and subtype2. these are not coming from any database tables. any body can tell me how to wrote. and send me the sample code for it.
    thanks,
    maheedhar

    Go to SE51..Give the program name..in your case..SAPL + function group name.
    Give the screen number...that you gave when you created the table maintenance..
    THen press change..
    Create an event process on value-request for F4..
    PROCESS ON VALUE-REQUEST.
    FIELD ZTABLE-F4 MODULE F4_FOR_F4.
    **In the module use the function module F4IF_INT_TABLE_VALUE_REQUEST.
    Check this example for how to use this function module
    TABLES: T005T.
    DATA: BEGIN OF t_t005 OCCURS 0,
            land1 TYPE t005-land1,
          END OF t_t005.
    SELECTION-SCREEN BEGIN OF LINE.
    SELECTION-SCREEN COMMENT 1(6) v_text FOR FIELD P_LAND1.
    PARAMETERS: p_land1  TYPE t005-land1.
    SELECTION-SCREEN COMMENT 13(35) v_text1.
    SELECTION-SCREEN END OF LINE.
    INITIALIZATION.
      v_text = 'Country'.
      v_text1 = ' '.
    AT SELECTION-SCREEN ON VALUE-REQUEST FOR p_land1.
      REFRESH: t_t005.
      SELECT land1
             INTO TABLE t_t005
             FROM t005.
      CALL FUNCTION 'F4IF_INT_TABLE_VALUE_REQUEST'
           EXPORTING
               DDIC_STRUCTURE   = 'T005'
                PVALKEY          = ' '
                retfield         = 'LAND1'
                dynpprog         = sy-repid
                DYNPNR           = sy-dynnr
                dynprofield      = 'P_LAND1'
                callback_program = sy-repid
                value_org        = 'S'
           TABLES
                value_tab        = t_t005
           EXCEPTIONS
                parameter_error  = 1
                no_values_found  = 2
                OTHERS           = 3.
      IF sy-subrc <> 0.
    MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO
            WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.
      ENDIF.

Maybe you are looking for