Hi Sid,

I have checked both the users profiles with Auth Objects S_ALV_LAYO.

User A has 8 profiles in which 6 has value '23' and 2 have value '*'

User B has 11 profiles in which 9 has value '23' and 2 have value '*'

the user B has only 3 more profiles with value '23' than user B ,.

Now please suggest.

CB

Hi Chandresh,

If all authorizations of two users are exaclty same then just check whether this is controlled by any table level restrictions.

I mean, sometimes there will be two roles with same authorizations (Role A = Role B), but these are maintained at table as in who will do what. For example: User A assigned to Role A can do everything but User B assigned to Role B can do restricted activity.

This is done by maintaining these roles at a table level

Just check, if the program of transaction ZFBSET has been setup in this way

Edited by: Siddhartha Varma on Jul 5, 2010 4:58 PM

Edited by: Siddhartha Varma on Jul 5, 2010 5:00 PM

Hi Sid,

But the program behind the ZFBSET will be accessed by both user A and user B as the tcode is accessed ,

And user A is restricted and user B is not restricted.

Do u mean that the table level restriction thru some AUTHORITY_CHECK statements, or through S_TABU_DIS

I cant understand can u please explain.

CB

Hi Chandresh,

Yes. It may be controlled in that way, I mean by table level. These two similar roles are assigned in a particular table & restriction would be placed in the table against each of the role.

Example: When Role A is assigned to a user - with restricted access as defined in the table for Role A & when user calls the transaction, the program will check the role in the table and will allow the user activity as it is defined in the table for that role.

Just check with your ABAP/Functional Team, if this is designed in this way

PS: Check the above only when you are sure that all authorizations are exaclty same for both the users

Hi Chandresh Bajpai,

You should work with your developer to make sure that and authroization field and object is enabled for authority check for the userA and USER B.

What it means is the custom transaction code should include a custom authority field and custom authority object to make this happen. so that you can permit one userA and restrict the other(UserB) in your case.

I think the Ztcode created is not performing the authority check.

Next put your trace on to find out for each user to restrict or based based on your trace result.

Respectfully

Hi,

There are more objects involved with layout, I just had some quarrel with F_IT_ALV and succeeded. I found it because of the output from SU53 from the user.

Have fun

Bye Jan van Roest