I
am posting this topic in question and answers method, hope you like it. These
que & ans are inter linked with another, read orderly to avoid confusion
S_TABU_DIS AUTH OBJECT AND ITS FIELDS |
What
is se16/sm30...
It
is a data browser .User can access tables by using these T codes.
What
does table contain?
All the sap
data stored in the form of tables. some of the tables have sensitive
information which cannot accessed by every employee like vendor details, Profit
& Loss reports, Salary details etc.,
Table are two types
1)Standard:These tables comes
with sap installation
2)Customized:These tables are
created manually based on requirement
What
happen if user has access to se16/sm30...
If user has se16/sm30 access, user can access to tables whether it standard or customized tables...It leads to excessive access.
If user has se16/sm30 access, user can access to tables whether it standard or customized tables...It leads to excessive access.
If we
remove se16/sm30 access?
It is a
bad idea to remove t code from user why because users need some information as
per their business process .if we removes user cant access to those data
Then
what has security admin to do....
Security
admin find out which tables are require for user, create a authorization group
and map these tables to user. Assign this authorization group to user via
S_TABU_DIS.
What
is S_TABU_DIS
It is a
authorization object of se16/sm30 used for table level restriction. It has two
fields
One is (ACTVT) field contains permitted
operations, we have to give tick mark
Secondly DICBERCLS in this field we give authorization
group name.
Once a user has access a particular table
authorization group, the user can access all tables linked to the authorization
group..
How to create authorization group....
In Se54 we
create authorization group.Authorization group it self is empty.we map the tables to it. the default authorization group is SC.
1)Hit SE54
2)Choose AUTHORIZATION GROUP
3) click on CREATE/CHANGE button.
4) Click on NEW ENTRIES
Enter Authorization group name in AUGR filed,max limit is 4 characters and Enter description
Click on CREATE REQUEST or OWN REQUEST(here am showing" create request")
Here SHORT DESCRIPTION is mandatory. maintain meaning full description to identify easily.
usually every company has their own naming convention.
How
to map the tables to authorization group and to add authorization group to roles...
1)Choose ASSIGN AUTHORIZATION GROUP
2)Click on CREATE/CHANGE
3)Choose TABLE NAME and AUTHORIZATION GROUP
Enter table names what ever you want give access to user in FROM and TO and also
Hit authorization group name
Add Auth Group to Role :
Open PFCG and enter role.
5. Add T code SE16 in menu tab.
6.Now Add authorization group name that you have created in SE54 in AUTHORIZATION GROUP Field of S_TABU_DIS.
Good luck..
3 comments:
Hi sid,
Thanks for post. can you please post "OSS user id creation and how to maintain in secure area."
thank you,keep reading..definitly i will post on oss id topic
Great article. Very helpfull for fresher as well as experienced consultant. Keep it up
Post a Comment