S_DATASET to be restricted. Generic role to be mod...

Former Member · ‎2009 May 05

Hello All,

Authorisation object S_DATASET needs to be restricted to view files only under directory /interface/ehs/.

through field FILENAME.

I have to restrict two roles for which S_DATASET is maintained as mentioned below.

1) Role 1

S_DATASET Authorization for file access

ACTVT 06, 33, 34, A6, A7

FILENAME *

PROGRAM *

2) Role 2

S_DATASET Authorization for file access

ACTVT 33, 34

FILENAME *

PROGRAM RSSO, SAPFSSO, SAPLSO, SAPLSW, SAPLSWT1

FILENAME needs to be restricted to something like this

FILENAME /interfaces/ehs/. such that files only under directory the specified directory can be viewed.

Can anyone please let me know the implication of restricting filename as mentioned above.

Note :The two roles mentioned above are the generic roles and are present in many composite jobs(almost every composite job).

hence any changes mentioned as above will affect large number of jobs and hence significant users will be affected.

sdipanjan · ‎2009 May 05

Hi Abdul,

There is no issue with the way you are trying to follow.

S_DATASET is used to put a check against file access from ABAP/4 programs. The field FILENAME is to provide the path / directory of the file that need to be read / write during the execution if different Dynpros of SAP Transaction.

So you can use the value in FILENAME as: /interfaces/ehs/*

Please note that if the file being read or write is in different directory or path in other systems somehow then the user will get "Failed authorization Check" error.

Let me know for any more question.

Regards,

Dipanjan

Former Member · ‎2009 May 05

There was a detailed discussion on this before. See

Perhaps you want to read that and search for some related discussions / SAP notes first?

Cheers,

Julius

S_DATASET to be restricted. Generic role to be modified.