topic Re: role maintenance in Application Development and Automation Discussions

role maintenance

Former Member — Tue, 25 Sep 2007 19:28:05 GMT

Hi there,

I am doing role maintenance and have deleted the menus and maintained all the authorisations which are green but the authorisation and menu tab are still showing red even after saving the role. Can somebody have any inputs if this role would still work and what should I do to make them green

Re: role maintenance

Former Member — Tue, 25 Sep 2007 19:39:20 GMT

Hi,

Easiest way to test if it works is to assign it to a user & try it yourself!

Why have you deleted the menu's? this is where you maintain the transactions for the role. This in turn will pull through the relevant authorisation objects to run the transactions with the appropriate gaps which you need to populate to meet your restriction requirements.

If the role has generated then it will give the access that is contained in the authorisations for that role. If you have object fields in the auth tab unpopulated then it is likely that you will come across auth checks that will fail when the role is used.

If any of your objects in that tab are highlighted in red then it is missing an org level value (maintained in the org levels popup). If they are yellow then you are missing field value/s which may or may not need populating depending on what transactions they are and what auth checks the code evaluates.

Most importantly, find yourself a copy of "authorizations made easy" & learn it all before you break any roles

Re: role maintenance

Former Member — Tue, 25 Sep 2007 19:52:21 GMT

My manager wanted nothing to be in the menu tab for the user. So how could I disable that?

Re: role maintenance

Former Member — Tue, 25 Sep 2007 19:54:32 GMT

The menu tab will always show red if you have deleted all of the tcodes from the menu section. For the auth tab, it will show yellow if you have saved but not generated the role. It would be red only if you had some org values that are not maintained - otherwise they would be yellow.

Re: role maintenance

Former Member — Tue, 25 Sep 2007 19:59:15 GMT

Hi JC,

Thanks for your reply. Since that was a copy of another role I can still delete the copied role and startover again. Now I need inputs on the following.

1) Is there a way that I can disable or remove what is there in the menu tab without actually deleting them?

2)How to maintain the org level once I save the profile? Will clicking on the maintain authorisations tab show it again.?

Re: role maintenance

Former Member — Tue, 25 Sep 2007 20:36:07 GMT

I also strongly encourage you to pick up the Authorizations Made easy at a minimum prior to even considering maintaining any roles.

You need to have an understanding of the SAP security authorization concept; all the authorizations from a role are generated from the transactions assigend to the menu.

If the user shouldn't see the user specific menu, then the specific roles need to be removed from the user ID. By deleting the menu, you are deleting all the authorizations that the user would have access to (AND for any other users assigned this role); pick up the book or look at SAP help to at least understand how SAP security works.

Message was edited by:

Julie Nguyen

Re: role maintenance

Former Member — Wed, 26 Sep 2007 03:26:16 GMT

Rather than deleting the menu's from the role... I believe (and dont have the steps on hand) you can hide the role menu's from showing when the user logs into the system. Might be something like below:

Hide the User Menu

November 25th, 2005

To put it simple, when the user logs on to the system he should have only the SAP Standard Menu.

Default hide for all the SAP users.

Goto SM30 and edit the table

SSM_CUST

and set

ALL_USER_MENUS_OFF = YES

Re: role maintenance

Former Member — Wed, 26 Sep 2007 11:42:16 GMT

Hi,

If you only want the sap default menu, do as the previous answere. If you want in a role a transaction that will not appear in the user menu, then use the tab authorization default in the men tab. The user will not see that transaction, but can execute it knowing the transaction code.

What you did deleting the menu in the role is deleting all transactions. If you did not generate the profiles again, the old profiles must be still there. So this is very dangerous. Using the profile generator always generate the profiles after changing the role.

Have fun

Jan van Roest

Re: role maintenance

Former Member — Wed, 26 Sep 2007 11:42:33 GMT

Yes if your objective is for the user not to see the user menu, then either updating table SSM_CUST - as already mentioned - will turn off all user menus. The other option is table USERS_SSM - this will give you the option to turn off menus for some user and not others.

ORG level values can be maintained in the auth tab - it should be called "organizational levels" just below the find binoculars. These should actually be maintained first before you maintain the other values.

Re: role maintenance

Former Member — Wed, 26 Sep 2007 12:09:52 GMT

Just curios why should you want to delete the menu??

The user will never be able to do more than the TRX you assigned them. So what is the purpose of deleting menu’s for users?? Does the manager who ordered this know what SAP authorization is about or is he <b><removed by moderator></b>??

Message was edited by: Moderator

Please keep it civil.

Re: role maintenance

Former Member — Wed, 26 Sep 2007 13:43:17 GMT

Sorry you're asking wrong person - "rookie" posted the question.

There might be some reason that they don't want the user menu to be seen and just default the SAP menu - which is what I think rookie was getting at and not necessarily to "delete" the menu.

Re: role maintenance

Former Member — Wed, 26 Sep 2007 17:08:37 GMT

In that case the SSM option seems the best solution to me???

Stil am curious: so rookie can you answer the question??

I have been asked to do the same in the past by some amateur SAP specialist in the business, but could convince the requester that it had no use to do these kind of things.

Re: role maintenance

Former Member — Wed, 26 Sep 2007 17:09:58 GMT

curious why does the manager want this, does he understand SAP or is he an amateur?

Re: role maintenance

Former Member — Thu, 27 Sep 2007 17:29:14 GMT

Based on your questions I totally agree with Julie Nguyen.

Based on your thread I think you just want to hide the transaction from the menu. Btw, this can be done. Let me know if this is the case and I can post explicit instructions.

Re: role maintenance

Former Member — Thu, 27 Sep 2007 17:33:23 GMT

rookie, hiding the transactions that users can see is nothing more than security by obscurity and as a result pretty worthless. It's important to make that distinction when people ask to hide transactions from a user. It is very, very simple for someone to see what real transactions that can run.

Obviously that is very different than wanting users to use the standard menu for the sake of training/consistency.

Re: role maintenance

Former Member — Thu, 27 Sep 2007 19:11:32 GMT

What is your goal? What are you trying to acheive with your changes?