2010 Jan 25 8:47 PM
Friends
I am trying to restrict the Display Access for the HR Master Data in RSA1.
I am using S_RS_IOMAD Auth Obect and removed all the HR info catalog.
However, when I go to RSA1 ->> DSI Master Data -> HR Master Data ->>> and right click on any of the HR info objects
and select mantain Master Data ->>> I get below Message.
" You have access to display Master data only"
If click, continue or enter, it does display HR master data even though HR info catalog is removed from S_RS_IOMAD Auth Object.
The Role only has
S_RS_ICUBE for Update Rules and Definition Display Only.
S_RS_IOBJ for Update Rule and Definition without HR Info obj Catalog.
S_RS_IOMAD with only FI info area in it.
Am I missing anything here? How can I restrict the Display of Master Data ?
From
Pranav
2010 Jan 25 10:55 PM
Hi Pranav,
Put a trace on the user ID and check out which object is actually giving the diaplay authorization of master data table. By restricting that object you might be able to restrict the display access as well.
2010 Jan 25 10:55 PM
Hi Pranav,
Put a trace on the user ID and check out which object is actually giving the diaplay authorization of master data table. By restricting that object you might be able to restrict the display access as well.
2010 Jan 25 11:34 PM
Hi,
I checked in the Trace also, but did not get any information from it.
From
Pranav
2010 Jan 26 7:22 AM
Hi Pranav,
Just check , wheather you are maintaing direct assignment of authorization to users not involving role and users are getting the data from there.
2010 Jan 26 7:49 AM
Hi,
As you wanted to restrict display access to HR master data only, I sugegst you to provide only minimum access.
for example S_TCODE- RSA1 and S_RS_IOMAD. Do not give any other BW auth. object access. Then see if you are able to restrict HR master data.
please let me know result of this scenario.
Best Regards
Imran
2010 Jan 26 7:56 AM
Hi Pranav,
In trace did you get any object with field ACTVT as 03?? Have you tried restricting it?
If all this does not help then discuss the same with the developer and check if you can restrict the desired table by auth groups.If this works then you can restrict the table "display" , "delete", "Maintain" etc by putting these auth groups in S_TABU_DIS .
2010 Jan 26 3:41 PM
Yes, I tried with deactivating all other objects only keeping the only S_RS_IOMAD active and still getting the same error message.
Before I speak to Developer, how can I find the Auth Group of these tables for the Info objects in HR master data node?
Please let me know.
Thanks,
Pranav
2010 Jan 26 4:22 PM
Hi Pranav,
To check the authorization group for table check the Table TDDAT in SE16. It contains the entry of table assigned to authorization group. This relationship is maintained in SE54 transaction...
2010 Jan 26 4:25 PM
I know that part.
However, How do I know the table name for specific Info object?
Please advise.
Thanks,
From,
Pranav
2010 Jan 26 4:48 PM
I tried all the /BI0/* Tables and they are not showing up in the TDDAT.
Example /BI0/TGENDER for the Gender.
/BI0/OIEMPLSTATUS for the employee status.
Some of the info objects does not have any table mentioned in the Object overview -> Tab MaterData text.
Thanks,
From
Pranav
2010 Jan 26 9:22 PM
To all Friends
The issue was with the Info objects in too many catalogs.
Nothing was wrong with Security.
From
Pranav
2010 Jan 27 4:32 PM
Pranav,
Have u checked the report again after securing the infoobject correctly. Is it working fine.
2010 Jan 27 4:49 PM