Question:
Hi,
I'm a complete newbie to SAP so stick with me please
1) We would like to disable the SAP menu for certain users, but how can we do this? These users would only be able to use a specially designed menu, and not the SAP menu.
2) I don't know if this is possible, but I'll ask anyway. I need to create several users, working on the same department Accounting. For authorization, I've created a role FIN_ACC, with a user menu containing all things under the accounting-menu.
Now for some users, some things aren't allowed. For example user A can't use the Incoming Bank Accounts, but user B can.
Do I have to create separate roles for these users, or is there a way inside the user to specify that some things are disabled (or even better, hidden)
I hope these questions make sense, and someone is able to help me
Thanks in advance!
Answer:
1. You enter the settings in USERS_SSM for the specific user via SM30
2. you need a separate role for each pertibation of the main role.
Answer:
Hey John, thanks for the quick response.
But can you specify how I would make a separate role inside a main role?
I have the main role set up, now what should I do next?
Thanks for your help and patience
Answer:
Hi Flaviooooooooooooooooooooooo
If you want users to have different levels of access then you will need to create different roles for each group of users.
If you restrict the menu's they have access to without restricting the underlying access, the users will still be able to access the transactions through the transaction fast entry box.
If you are new to SAP then one major pointer I can give is that security by obscurity is not proper security. If someone cannot see something it does not mean it is secure.
A good place to start would be to read authorisations made easy (from SAP and available from Gary's excellent site www.sapbasis.org) and to search on this forum for role design. You will see that there are many ways to do things.
Hope that helps
cheers
Al.
Answer:
Al., thanks for the response.
I have another problem, with the first solution. When I try to run transaction SM30, it gives me "Maintain table views", but I just want to disable the SAP menu for certain users. Can anyone help me with that?
Thanks in advance
Answer:
Look closer at the table when you maintian USERS_SSM.. It is a bit obvious, Table KEy is USERID so you enter the ID you and an guess what it pertains only to ID you enter....
Answer:
Thanks John, for your patience
When I try to maintain the table I get this message:
Client 200 has status 'not modifiable'
INFO:
Message no. TK430
Diagnosis
The system administrator has set your logon client to the 'not modifiable' status.
Client-specific objects can not be changed in this client.
So it looks like they don't want me to mess around there...
Is there another way to block out the SAP menu?
Thanks in advance
Answer:
Editing SSM_CUST is a standard requirement so you have a good case for the BASIS team to unlock PRD to allow you to make the required changes.
When it unlocked you can make your changes and they can lock it again.
Answer:
Have the basis team reset the delivery class of the table to 'L' and reactivate the table, then you do not have to constantly have the system opened. It is not a config table but application