Question:
What table can i find the authorization groups for ABAP programs. I'm trying to have a program assigned to a group.
Thanks
Answer:
Did a search ( search engine on this webiste is extremely good ) for:
Program auth groups (search all terms)....came up with 17 hits.
However, again: (quoting previous posts)
"Report RSCSAUTH can also be used to assign programs to authorization groups. This report is documented in detail."
Program auth groups are found in TRDIR.
P.S. You will now get 18 hits if you perform the search.
Best regards,
Answer:
Thank you
Answer:
Use su01 -> Environment -> User Groups.
Answer:
Do note that if you change hta uth groups programatically not using RSCSAUTH you run the risk of losing all your changes during an upgrade. RSCSAUTH is designed to create a backup and allows you to restore after an upgrade.
Answer:
I am also trying to understand this topic. I am working on a system where anyone can run programs currently. I have been reading all of these posts today and trying to wrap my mind around the Auth Group concept.
I have looked at the program RSCSAUTH. What I want to know is where we do maintain or define the Auth Groups we use in RSCSAUTH? Is there a specific place you would go to do this?
Answer:
Alright guys... I sort of answered my own question here! I have figured out finally after looking at this all day, how the darn report runs for this and how to add the auth group to it.
Answered my own question! I must be thinking way toooo hard before the holidays! lol
Merry christmas... Happy holidays... to everyone!
Answer:
The actual table that houses the "defined" values is TPGP and TPGPT, there is a report the loads the values FROM the value you place on programs using SE38 OR RSCSAUTH.
THe simplest approach thoug it to extract the User activity information form the system and assigne the reports to the user's roles ( creates Tcodes for the reports OR finds the tcodes for you) then you can remove SE38 and SA38 from all users and have them run the tcodes, Far easier than assigning Auth groups to the 21,000+ reports in the system.
Answer:
John,
I agree with you. I played around with this all day yesterday. From what I have learned, the only way Auth Groups are affective in SA38 is if "ALL" reports have an Auth group. Otherwise, the user still has access to the ones that do not have one assigned. If the user tries to run a report that has an auth group assigned and the object S_PROGRAM does not have that proper auth group, then and only then does the user get a failure.
My confusion here was that in one of the other posts, someone stated the best practice would be to assign an auth group to the report, then assign the report to a transaction. Is this really a good practice or is just assigned it to a transaction enough?
I do have one really important question for you John. I know that when you run RSCSAUTH, you get a list of all executable programs/reports. If I decide to assigned an auth group for all the standard SAP reports pulled in the run, would it cause problems on the backside with transactions when a person tries to run one? Security Report RSUSR004 is kicked off by SUIM. I would have to make sure that my object S_PROGRAM has the new auth group in it in my Security Role to make sure I can run that?
I guess I truely know the answer to that and the amount of work it is going to take to make the S_PROGRAM object secure. I understand the work behind it and why you would want to do this. I am just questioning the need for an auth group. I like the idea of transaction code only.
Answer:
I like the idea of transaction code only.
You have answered your own question.