2009 Jan 25 11:56 AM
Dear Guru's,
There are a couple of Customer IT that have been created. For which I have also assigned the authorization. But for some of these Infotypes though the user has no authorization he is able to access it.
Can you guys give me a heads up on what might have gone wrong...
Regards
Vijaya Sankar
2009 Jan 25 1:44 PM
Could there be some ranges in the infotype field(s) in the existing roles? Generally when something unexpected like this happened it shows the disadvantage of ranges.....
2009 Jan 25 1:48 PM
It does have few ranges. But any idea how to tackle it???
Regrads,
Vijaya
2009 Jan 25 2:30 PM
> It does have few ranges. But any idea how to tackle it???
I'd talk to the functional guys and investigate which infotypes they really use. If you define those one by one in your roles you'll never have the risk of new infotypes becoming visible or changeable by accident.
2009 Jan 26 3:22 PM
Vijay,
You may have already tried this but the first thing that pops into my head is to use SUIM.
Roles -> Roles by authorization values -> plug in P_orgin or P_orgincon (Whichever object you use) -> then under infotype plug in the value of the infotype you DON'T want them to see. Hit execute. Then compare those roles to the access your users have.
Thanks,
2009 Jan 27 4:36 PM
Walden is correct.
It's best to remove all ranges by utilizing SUIM and then define each infotype separately. You can always add more later individually if the users require further access. But it will keep you from hunting through ranges to restrict them from anything they may accidentally receive from the range.