Showing results for 
Search instead for 
Did you mean: 

limit download to local for some t.code

Former Member
0 Kudos

dear all,

we want to limit our user access to save to local file by means of authorization. we have done it via authorization object S_GUI, but this is valid for all in the role. our problem is, we only want for specific from all assigned to role.

say user A having role ZSAP_ABC which lists tcode SM37, SP02, SU3 and SBWP. we only want to restrict download to local only for tcode SM37, but not for any others without separating this t.code into two new tcodes (say ZSAP_ABC_download and ZBC_ABC_no_download)

is this possible ? how we can do that ?

thank you

Accepted Solutions (0)

Answers (4)

Answers (4)

Former Member
0 Kudos


You are not able to restrict through S_GUI is because it is having only one field-Activity. So we are not able to restrict in Tcode level. My suggetion is to create another Auth Object with two fields, one for Tcode and one for Activity and assign the Tcode which needed to be downloaded there. Add this object to the role. In this case only one role is sufficient. No need to assign S_GUI.

I think this solves your problem


Prabhu K

Former Member
0 Kudos

hi Prabhu,

donwload to local file can be done in many ways :

- hit button export from screen

- using menu path : system > list > save > local file


all of them (both SAP standard or Z-program) is linked with authorization object S_GUI to be able to download to local file. if we follow your suggestion, must we change all SAP standard program and Z-program in which S_GUI exist ?? ... and replacing S_GUI with the new authorization object made ??

not an implementable solution, but anyway thank your for your suggestion


Alfonsus Guritno

Former Member
0 Kudos


lets take a look for this simple example :

1. we have role Z_ABC consist of MM01, MM02, MM03, SP02 and SM37. All authorization object related to this five transaction codes have been defined correctly.

2. now we want to restrict, only SP02 and SM37 is allowed to be downloaded to local.

3. then you say we have to assign downloadable t-codes (SP02, SM37) into role Z_ABC_DL and un-downloadable t-codes (MM01, MM02, MM03) into role Z_ABC_NO_DL (separated)

4. then we assign authorization object S_GUI (full authority) to Z_ABC_DL in order to allow t-codes able to be downloaded. (roles Z_ABC_NO_DL is left without object S_GUI assigned)

5. from point 4 we have temporary conclusion that Z_ABC_DL (SP02 and SM37) is able to download, and Z_ABC_NO_DL (MM01, MM02, MM03) is unable to download, right ?

6. then we assign this two roles (Z_ABC_DL and Z_ABC_NO_DL) into the same user, say user ADMIN.

7. from point no.6, t-codes that should not be able to be downloaded by ADMIN become able to be downloaded because of the existence of objects S_GUI. When executing MM03, and download to local, it will checks the authorization object S_GUI for user ADMIN from available roles (Z_ABC_DL and Z_ABC_NO_DL) - and BANG! object S_GUI (prerequisities of download data to local) is found in one role : Z_ABC_DL.

not a good idea, right ?


alfonsus guritno

Edited by: Alfonsus Guritno on Jun 2, 2008 3:50 PM

Former Member
0 Kudos

Hi Alfonsus,

Yes you can do, go in pfcg and select this profile. In the said profile you can give access only for view for sm37.



Former Member
0 Kudos


yes it is possible.

Using PFCG assign particular roles.

Assign particular tcodes to the role specified like download and not download roles and assign the users and do comparision, which solves your problem.



Edited by: bhaskar1818 on Jun 2, 2008 10:46 AM