topic Re: SPRO Access in Application Development and Automation Discussions

SPRO Access

Former Member — Fri, 12 Mar 2010 12:18:27 GMT

Hi,

I had similar situation as in the below link:

I have a requirement to assign only SAP Utilities->Intercompany Data Exchange to the user

I did as per Julia, but in my case, the user is able to access other nodes in SAP Utilities also, but not other than SAP Utilities(eg:Enterprise Structure, Real Estate etc)

I added only SAP Utilities->Intercompany Data Exchange in the new Project via SPRO_ADMIN & created role by adding that new Project, but still the user is able to access other nodes present in SAP Utilities (eg: Device Mgmt, Contract Billing etc)

Can anyone tell me, why this is happening?

Regards,

Sid

Re: SPRO Access

sdipanjan — Sun, 14 Mar 2010 09:52:39 GMT

This is happening because the project is containing access to TCode SPRO along with the node you selected only. Make sure that you are building the project and the role without SPRO while using such option to assign in the role.

Regards,

Dipanjan

Re: SPRO Access

Former Member — Mon, 15 Mar 2010 09:18:50 GMT

Thanks. But then how would the user be able to access IMG?

If we remove SPRO from the role, then the user need to know/remember all the T Codes related to the node for which the user needs access. The user wont be able to access IMG. This should not be the case

Re: SPRO Access

Former Member — Tue, 16 Mar 2010 07:40:33 GMT

I tried this with a project I created in SPRO_ADMIN.

The User can access SPRO, thats right. But can he really execute other functions than the allowed? The user can see them, thats right, but can he execute?

Regards,

Julia

Re: SPRO Access

42 — Tue, 16 Mar 2010 08:06:53 GMT

Hi Sid,

tx SPRO is definitely necessary - that's not the problem. It is possible to restrict access to project IMGs by using authorization object S_PROJECT. It is NOT possible to restrict access to the refernce IMG as long as the user has the SPRO. That means that every user mith SPRO can SEE other nodes. Which nodes he can execute depends on the individual authorization checks of each node and the individual authorizations within your role. In my opinion the only solution for your problem is, if possible, to more restrict the autorization parameters within the role.

Regards,

Dirk

Re: SPRO Access

Former Member — Tue, 16 Mar 2010 13:39:29 GMT

Hi Julia,

Yes. He is able to access(execute) other sub-nodes other than the sub-node for which I created the Project & created the role

Seeing other nodes is not a problem, but the user should not be able to access(execute) other nodes

Regards,

Sid

Edited by: Siddhartha Varma on Mar 16, 2010 2:39 PM

Re: SPRO Access

Former Member — Tue, 16 Mar 2010 13:46:39 GMT

Hi Dirk,

Seeing the other nodes is not a problem, but the user should not be able to execute them.

When you try to add the only selected path in the Project, it should only allow to execute that path only (I mean nodes in the path), but its allowing to execute other sub-nodes also

But what I do not understand is that why the system allows to execute other sub-nodes- logically, it shoudn't!!

Regards

Sid

Re: SPRO Access

sdipanjan — Tue, 16 Mar 2010 20:51:20 GMT


> Thanks. But then how would the user be able to access IMG?
> If we remove SPRO from the role, then the user need to know/remember all the T Codes related to the node for which the user needs access. The user wont be able to access IMG. This should not be the case

please check the below link to get more information on SPRO. It is not required to give access to SPRO to give access to some part of the IMG. You need to enhance / customize the IMG while defining the project. Let me know for any confusion.

Regards, Dipanjan

Re: SPRO Access

Former Member — Tue, 16 Mar 2010 22:04:10 GMT

Check whether prior to using the project views you had granted * for S_PROJECT in some other role of older manual profile, because you were not using it back then.

Cheers,

Julius