Question:
Environment - SAP R/3 4.6c
Dear all,
Just wanted to ask what would be the standard set of steps to remove an authorization object from a role (custom defined -ZRole)?
For example,
Authorization Object Description
S_DEVELOP <OBJ> ABAP Workbench.
Any help on this will be greatly appreciated.
Regards,
AA
Answer:
Look for the transaction in the role which is bringing in the undesirable authorization.
Configure SU24 to restrict the that authorization.
There are also some analysis tips and procedures described in OSS 587410.
Answer:
Hi let us keep it simple, to remove an object from the role follow this method:
1. go to pfcg
2.authorizations, in that change auth.
3. deactivate the object u want to remove and then delete it.
4. make sure u deactivate it before u remove it.
5. then save and generate.
coming to complicated version of the same.
to remove an object and affect it globally remove it using su24 but be cautious it affects globally and might have seriouss repercussions.
try the first one i think it should suffice and let me know.
Bye
Answer:
out of interest what does the deactivation before deletion achieve over just deleting the object?
Answer:
Thank you for all the support. Really do appreciate it.
I am a newby in this area, and I may be giving out wrong (so please feel free to correct me if I am wrong), but just disabling in the procedure highlighted above also gives the desired result.
I am not aware of any other repercussions associated with this, but, once again, please feel free to shout out any discrepencies.
Regards,
AA
Answer:
I am not sure but let me try to give an explanation.
the purpose of removing an object is to remove the role the capability of executing that particular function. So consider a situation where a user to whom u have assigned the role from which u wnated to remove the auth. If by chance he is using the object at the time of removing so it might lead to him having acess which he should not have. So for this very reason we will disable the object so no user can now acess it. and then remove it. I think this can be one of the reasons but I would really appreciate others to put in their thought so that we can increase our knowledge in this regard.
So let me know if this explanation answers ur doubt
Bye
Answer:
I am not sure but let me try to give an explanation.
the purpose of removing an object is to remove the role the capability of executing that particular function. So consider a situation where a user to whom u have assigned the role from which u wnated to remove the auth. If by chance he is using the object at the time of removing so it might lead to him having acess which he should not have. So for this very reason we will disable the object so no user can now acess it. and then remove it. I think this can be one of the reasons but I would really appreciate others to put in their thought so that we can increase our knowledge in this regard.
So let me know if this explanation answers ur doubt
Bye
Sorry, my question was due to brain drain this early in the morning! Forgetting the basics is not the best thing to do
Personally I prefer to inactivate only or preferably configure SU24. Sorry for wasting your time!
Answer:
Hi all,
I am not an expert on this but would like to give a suggestion.
I think the best way is to make the auth object inactive and leave it like that, because if you delete the auth object and sometime in the future if you regenrate the role the object will appear again becuase it was not changed in the SU24. Of course if u made changes in SU24 before all this then you wouldnot have any problem.
Would like to see corrections to this if I am wrong.
Thanks.