Table level restriction

I am posting this topic in question and answers method, hope you like it. These que & ans are inter linked with another, read orderly to avoid confusion 
S_TABU_DIS AUTH OBJECT AND ITS FIELDS
 What is se16/sm30... 
 It is a data browser .User can access tables by using these T codes.

What does table contain?
All the sap data stored in the form of tables. some of the tables have sensitive information which cannot accessed by every employee like vendor details, Profit & Loss reports, Salary details etc.,

Table are two types

1)Standard:These tables comes with sap installation
2)Customized:These tables are created manually based on requirement

What happen if user has access to se16/sm30...
 If user has se16/sm30 access, user can access to tables whether it standard or customized tables...It leads to excessive access.

If we remove se16/sm30 access?
It is a bad idea to remove t code from user why because users need some information as per their business process .if we removes user cant access to those data


 Then what has security admin to do....
Security admin find out which tables are require for user, create a authorization group and map these tables to user. Assign this authorization group to user via S_TABU_DIS.

What is S_TABU_DIS
It is a authorization object of se16/sm30 used for table level restriction. It has two fields
One is (ACTVT) field contains permitted operations, we have to give tick mark
Secondly DICBERCLS in this field we give authorization group name.
Once a user has access a particular table authorization group, the user can access all tables linked to the authorization group..

How to create authorization group....
In Se54 we create authorization group.Authorization  group it self is empty.we map the tables to it. the default authorization group is SC.

 1)Hit SE54
2)Choose AUTHORIZATION GROUP
3) click on CREATE/CHANGE button.
 4) Click on NEW ENTRIES

 Enter Authorization group name in AUGR filed,max limit is 4 characters and Enter description
Click on CREATE REQUEST or OWN REQUEST(here am showing" create request")

Here SHORT DESCRIPTION is mandatory. maintain meaning full description to identify easily.
usually every company has their own naming convention.

How to map the tables to authorization group and to add authorization group to roles...
 1)Choose ASSIGN AUTHORIZATION GROUP
2)Click on CREATE/CHANGE  
3)Choose TABLE NAME and AUTHORIZATION GROUP

 Enter table names what ever you want give access to user in FROM and TO and also
Hit  authorization group name

Add Auth Group to Role :

Open PFCG and enter role.
5. Add T code SE16 in menu tab. 

Go to Authorization tab ->change authorization data
 6.Now Add authorization group name that you have created in SE54  in AUTHORIZATION GROUP Field of S_TABU_DIS.

Good luck..

3 comments:

Unknown said...

Hi sid,

Thanks for post. can you please post "OSS user id creation and how to maintain in secure area."

Unknown said...

thank you,keep reading..definitly i will post on oss id topic

Anonymous said...

Great article. Very helpfull for fresher as well as experienced consultant. Keep it up