Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Remove a t-code from specific user through abap code.

Go to solution
former_member601666
Explorer

on ‎2019 Aug 06 7:36 AM

0 Likes
1,112

I want to remove a t-code from a specific user. the t-code is assigned to an authorization object then the authorization object is assigned to a role and then the role is assigned to the username. Is there any way i can either deactivate the authorization object from the role or remove the t-code from the role? I want to do this through abap code. Is there any function module or any other way to do this? please help.

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (1)

Accepted Solutions (1)

Colleen
Product and Topic Expert
Product and Topic Expert
‎2019 Aug 06 7:47 AM

why do you want to do this? why through ABAP?

is this related to your other question:

https://answers.sap.com/questions/12746780/deactivate-and-activate-an-authorization-object-th.html

How many other users have the roles that contains that tcode?

Why not create a new role for the tcode and remove it from the old role. then you only have to provision or deprovision the role with the tcode access?

Show replies
Show replies
former_member601666
Explorer
‎2019 Aug 06 8:04 AM
0 Likes

i have this requirement from a client to deactivate t-code VA01 from a user and activate it again on click of a button. The roles are user specific but can contain more than one t-code. if we create a new role for that t-code only, how can we remove it from a user through abap code?

Sandra_Rossi
Active Contributor
‎2019 Aug 06 9:02 AM
0 Likes

ABAP authorizations are defined as a "whitelist" only. There's no way to define a "blacklist". Hence the answer given by Colleen.

If the requirement is based on well-established arguments, then I can see only a solution via a user exit in VA01 ("if user is not allowed to run VA01 then exit"). I'm sure you can easily find an enhancement option somewhere.

Colleen
Product and Topic Expert
Product and Topic Expert
‎2019 Aug 06 9:52 AM

it sounds like you might need to for more information regarding this requirement. You're describing a technical solution which may not be appropriate.

Under what conditions should the user lose VA01? What button and where would such a button be places to for the user to press it? If they press the button, does it log they requested the access or seek approval (if there is no audit trail then why bother)

Is the user meant to be allowed to get the initial VA01 and then press the button there? If so, they will need S_TCODE to get that far.

It may not be your explicit job to question this but if you proceed with a development you may be creating a technical debt for your customer. It may be cheaper to clean up the roles and resolve this through a user provisioning request. That is: build the role with just VA01 access and provide a process to request it.

To me, what you have does not sound like a actual requirement but a solution that has not been thought through. What problem are they actually trying to solve?

former_member601666
Explorer
‎2019 Aug 16 7:41 AM

Thanks Colleen, I created separate roles for each t-code and used BAPI 'BAPI_USER_ACTGROUPS_ASSIGN' to assign and un-assign the roles.

Answers (1)

Answers (1)

kaus19d
Active Contributor
‎2019 Aug 06 10:55 AM
0 Likes

Hi Syed Usman Tariq,

The standard way of doing this task is a general task of SAP-Security Team in your organisation. The purpose that you mentioned, that is why time-to-time, maybe even quaterly in many organisations they do Roles-Revamp. The process is not to do via ABAPing. The process here is via your SAP-Security guys --> SUIM -->Find the Users that has the T-code or PFCG --> Go to Transcations in Roles. Ultimately, after getting the list of users that has VA01, you might need to remove the T-code from the roles & create seperate 2 more different roles. Of course then will come object related authorisation inside VA01.

Another thing to remember, say for example in VA02 or VA03, there also if you enabled authorisation for object=01, that would indirectly mean that you already given permission for VA01. You can run this process who does not have VA01 t-code access but have VA02 or VA03, & then you try create & next if you check in SU53, there it gives missing object 01. So, meaning allowing object 01 also would mean allowing VA01

I would highly recommend you to get in touch with your SAP-Security guys or if no SAP-Security guy is there in your organisation, then it would fall to SAP-Basis guys

Thanks,

Kaushik

Show replies
Show replies
Ask a Question