‎2010 Jun 04 7:03 AM
Hi Expert,
I created SAP query for users, and assigned users with their respective infoset and user group.
The problem is that when users access SQ01 to execute the queries, users have authorization to change / maintain the queries, which I want to disable this functionalities.
I would like the users have authorization to execute the queries only and they are not allowed to change / maintain the queries.
Question:
What kind of authorization object / way that I can achieve the above objective?
I read this post, but it is not working to me. I am from SAP FICO side (not much knowledge on basis).
Thanks in advance.
sbmel
‎2010 Jun 04 7:14 AM
Hi,
In the roles assigned to the users, kindly check the activities maintained in field ACTVT for authorization objects S_QUERY, S_RS_COMP and S_RS_COMP1 Object. The values should not be 02 ( Change ) , 23( Maintain ) . They should be 03( Display) and 16( Execute ) .
Regards,
Manisha
‎2010 Jun 04 7:30 AM
Hi Sbmel
Object to restrict access for SQ01 is S_QUERY. Why not do a trace while executing a query through trxn SQ01. Please work with Security administrators to do a trace. Why not assigning the code name created through SQ01 to some custom tcode and assign users access to that custom transaction. Access to trxn SQ01 should not be provided to end users.
Thanks.
Anjan
‎2010 Jun 04 7:44 AM
Hi Both,
Thanks for your reply.
Activity under object: S_QUERY, only has 02, 23, 67 (they are not working to prevent user from changing the queries)
I have several queries; therefore the level of maintainability is not advisable if each queries create a Tcode for it.
Do you have any other suggestion?
If there is really no way to prevent user from changing the queries from SQ01, one way that I can think of is to build a customized tcode for SQ01, for example: ZSQ01, and from this tocde, disable some of the buttons (like change button).
Kindly help on this.
Thanks in advance.
Sbmel
‎2010 Jun 04 7:48 AM
Hi,
Have you tried to change the values in activities for S_QUErY Auth object? What do the trace results show ? If that hasnot helped then the best bet would be to createa Custom TCODE as you have correctly said .
Regards,
Manisha Nadir
‎2010 Jun 04 8:56 AM
Thanks Manisha Nadir,
But creating Tcode for each Queries is not practical, as I have more than 10 queries, and some more from time to time, I might insert new fields for the queries result.
If I create Tcode for each Tcodes, and then if in future, additional fields of queries result, I will re-do the Tcode again and again. Some more, user might request additional queries.
All SQ01 queries built are typically for Master data extraction for their checking on data integirty.
Thanks in advance
Sbmel.
‎2010 Jun 04 9:05 AM
Hi Sbmel
In that situatuion only option left with you will be to create a custom transaction(ZSQ01) which will have only execute functionality enabled. rest of the fields(create, change) needs to be greyed out.
Did you check with your auditors whether you can provide access to SQ01 to users in production?
Thanks.
Anjan
‎2010 Jun 04 9:18 AM
Hi,
I think I've been misunderstood. What I was trying to say was that you can create custom TCODE ZSQ01 ( as you too had pointed out ) with change/maintain disabled .
Creating a specific TCODE for a query is never a feasible option as this would go on increasing with the no. of queries.
Regards,
Manisha
‎2010 Jun 04 10:23 AM
There is always the possibility of adding the queries into a role & letting SAP generate the query tcode automatically. Not an option I have used much but is manageable for a fair number of queries.
‎2010 Jul 12 12:01 PM
>
> Creating a specific TCODE for a query is never a feasible option as this would go on increasing with the no. of queries.
>
> Regards,
> Manisha
I would dispute that opinion. If security means anything to you, it's actually the ONLY option for queries. SQ01 in production is a dangerous beast.
Frank.
‎2010 Jun 04 10:22 AM
>
> I read this post, but it is not working to me. I am from SAP FICO side (not much knowledge on basis).
>
>
> Thanks in advance.
> sbmel
Hi
That post tells you how to achieve the restriction against changing queries. Exactly what is not working? I have used it many times before with success. This is standard SAP way of providing the restriction so if it is not working then let us know why and we can advise.
‎2010 Jun 08 6:51 AM
‎2010 Jul 12 11:38 AM
Hi All,
I also have the same issue. What I find is that we can use authorization object for the program generated for the query. we can provide this authorization object in the user authorization profile.
we have to use Auth.Objct S_Program.
This will work.
But what I am trying to know how to maintain this auth.object? Should it be maintained at the program --> change -->Attributes level or is there any direct tcode in queries to provide the auth.object?
Hope I have made my query clear..
Regards
Srinivasan G
‎2013 Sep 27 3:33 PM
‎2010 Jul 12 6:34 PM
>
> Hi Expert,
>
>
> I created SAP query for users, and assigned users with their respective infoset and user group.
>
> The problem is that when users access SQ01 to execute the queries, users have authorization to change / maintain the queries, which I want to disable this functionalities.
>
Make S_QUERY inactive and you should be good.
‎2010 Jul 12 6:48 PM
Grant the users SQ00 and they will only be able to execute the query.
‎2010 Jul 13 9:22 AM
Hi Hiren, we still also need to restrict S_QUERY to avoid changes being made in SQ00.
Cheers
Alex