Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 
Read only

SQ01 authorization

Former Member
0 Likes
10,027

Hi Expert,

I created SAP query for users, and assigned users with their respective infoset and user group.

The problem is that when users access SQ01 to execute the queries, users have authorization to change / maintain the queries, which I want to disable this functionalities.

I would like the users have authorization to execute the queries only and they are not allowed to change / maintain the queries.

Question:

What kind of authorization object / way that I can achieve the above objective?

I read this post, but it is not working to me. I am from SAP FICO side (not much knowledge on basis).

Thanks in advance.

sbmel

16 REPLIES 16
Read only

Former Member
0 Likes
4,606

Hi,

In the roles assigned to the users, kindly check the activities maintained in field ACTVT for authorization objects S_QUERY, S_RS_COMP and S_RS_COMP1 Object. The values should not be 02 ( Change ) , 23( Maintain ) . They should be 03( Display) and 16( Execute ) .

Regards,

Manisha

Read only

Former Member
0 Likes
4,606

Hi Sbmel

Object to restrict access for SQ01 is S_QUERY. Why not do a trace while executing a query through trxn SQ01. Please work with Security administrators to do a trace. Why not assigning the code name created through SQ01 to some custom tcode and assign users access to that custom transaction. Access to trxn SQ01 should not be provided to end users.

Thanks.

Anjan

Read only

Former Member
0 Likes
4,606

Hi Both,

Thanks for your reply.

Activity under object: S_QUERY, only has 02, 23, 67 (they are not working to prevent user from changing the queries)

I have several queries; therefore the level of maintainability is not advisable if each queries create a Tcode for it.

Do you have any other suggestion?

If there is really no way to prevent user from changing the queries from SQ01, one way that I can think of is to build a customized tcode for SQ01, for example: ZSQ01, and from this tocde, disable some of the buttons (like change button).

Kindly help on this.

Thanks in advance.

Sbmel

Read only

0 Likes
4,606

Hi,

Have you tried to change the values in activities for S_QUErY Auth object? What do the trace results show ? If that hasnot helped then the best bet would be to createa Custom TCODE as you have correctly said .

Regards,

Manisha Nadir

Read only

0 Likes
4,606

Thanks Manisha Nadir,

But creating Tcode for each Queries is not practical, as I have more than 10 queries, and some more from time to time, I might insert new fields for the queries result.

If I create Tcode for each Tcodes, and then if in future, additional fields of queries result, I will re-do the Tcode again and again. Some more, user might request additional queries.

All SQ01 queries built are typically for Master data extraction for their checking on data integirty.

Thanks in advance

Sbmel.

Read only

0 Likes
4,606

Hi Sbmel

In that situatuion only option left with you will be to create a custom transaction(ZSQ01) which will have only execute functionality enabled. rest of the fields(create, change) needs to be greyed out.

Did you check with your auditors whether you can provide access to SQ01 to users in production?

Thanks.

Anjan

Read only

0 Likes
4,606

Hi,

I think I've been misunderstood. What I was trying to say was that you can create custom TCODE ZSQ01 ( as you too had pointed out ) with change/maintain disabled .

Creating a specific TCODE for a query is never a feasible option as this would go on increasing with the no. of queries.

Regards,

Manisha

Read only

0 Likes
4,606

There is always the possibility of adding the queries into a role & letting SAP generate the query tcode automatically. Not an option I have used much but is manageable for a fair number of queries.

Read only

koehntopp
Product and Topic Expert
Product and Topic Expert
0 Likes
4,606

>

> Creating a specific TCODE for a query is never a feasible option as this would go on increasing with the no. of queries.

>

> Regards,

> Manisha

I would dispute that opinion. If security means anything to you, it's actually the ONLY option for queries. SQ01 in production is a dangerous beast.

Frank.

Read only

Former Member
0 Likes
4,606

>

> I read this post, but it is not working to me. I am from SAP FICO side (not much knowledge on basis).

>

>

> Thanks in advance.

> sbmel

Hi

That post tells you how to achieve the restriction against changing queries. Exactly what is not working? I have used it many times before with success. This is standard SAP way of providing the restriction so if it is not working then let us know why and we can advise.

Read only

Former Member
0 Likes
4,606

sbmel,

Why dont you trace and find out the solution.

Thanks,

Sri

Read only

0 Likes
4,606

Hi All,

I also have the same issue. What I find is that we can use authorization object for the program generated for the query. we can provide this authorization object in the user authorization profile.

we have to use Auth.Objct S_Program.

This will work.

But what I am trying to know how to maintain this auth.object? Should it be maintained at the program --> change -->Attributes level or is there any direct tcode in queries to provide the auth.object?

Hope I have made my query clear..

Regards

Srinivasan G

Read only

0 Likes
4,606

Same issue here.

Read only

Former Member
0 Likes
4,606

>

> Hi Expert,

>

>

> I created SAP query for users, and assigned users with their respective infoset and user group.

>

> The problem is that when users access SQ01 to execute the queries, users have authorization to change / maintain the queries, which I want to disable this functionalities.

>

Make S_QUERY inactive and you should be good.

Read only

0 Likes
4,606

Grant the users SQ00 and they will only be able to execute the query.

Read only

0 Likes
4,606

Hi Hiren, we still also need to restrict S_QUERY to avoid changes being made in SQ00.

Cheers

Alex