Community
Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

How to remove authorisation objects from composite role?

Go to solution
Former Member

‎2010 Apr 25 6:48 AM

0 Likes
634

Hi,

We have user id BASIS having "SAP_ALL" and "SAP_NEW" composite profiles assigned.

We want to restrict user BASIS for cirtain transactions e.g. "Releasing Purchase Orders" i.e. ME28, ME29N, ME35L and "Releasing Purchase Requisitions" i.e. ME55.

As above profiles are not generated by ROLEs, we can not modify roles to restrict access to above transactions.

How can we delete the related authorisation objects from the composite profile?

With Best Regards,

Rajkumar

1 ACCEPTED SOLUTION
Read only

Go to solution
arpan_paik
Active Contributor

‎2010 Apr 25 7:44 AM

0 Likes
488

1st of all are you planning to modify SAP_ALL and SAP_NEW??? That should never be the case.

Now you want to provide some restricted access to BASIS so create a role with all the authorization that SAP_ALL and SAP_NEW have. To do so enter the role in change mode ''edit --> insert authorization(s) --> from profile

Edit S_TCODE and remove the desired transactions. Let say you want to remove ME29N so your range should be like

A* - ME29M

ME29O - Z*

And so on for other transaction as well

But I will also say a word on this as only removing transaction is not enough. You also need to restrict related object present in table TSTCA for those transaction to make sure that playing with Function Module or program is also taken care.

For example while remove ME29N from S_TCODE the also remove 02 activity from object M_BEST_EKO

Good Luck !!!!!!!!!!!!!!!

Arpan

2 REPLIES 2
Read only

Go to solution
arpan_paik
Active Contributor

‎2010 Apr 25 7:44 AM

0 Likes
489

1st of all are you planning to modify SAP_ALL and SAP_NEW??? That should never be the case.

Now you want to provide some restricted access to BASIS so create a role with all the authorization that SAP_ALL and SAP_NEW have. To do so enter the role in change mode ''edit --> insert authorization(s) --> from profile

Edit S_TCODE and remove the desired transactions. Let say you want to remove ME29N so your range should be like

A* - ME29M

ME29O - Z*

And so on for other transaction as well

But I will also say a word on this as only removing transaction is not enough. You also need to restrict related object present in table TSTCA for those transaction to make sure that playing with Function Module or program is also taken care.

For example while remove ME29N from S_TCODE the also remove 02 activity from object M_BEST_EKO

Good Luck !!!!!!!!!!!!!!!

Arpan

Read only

Go to solution
Former Member

‎2010 Apr 25 8:40 AM

0 Likes
488

SAP_NEW is easy. You simply delete the profile itself.

It is also well documemted how and why to do this, but hey... who reads the installation guides now-a-days anymore...