Question:
Dear Experts,
Our company wants to set control on user to execute particular programs.
I know that we can use ABAP/4 statement "AUTHORITY-CHECK", but that will be too time-consuming, as we need to set this in each of the program.
For each program, I notify that there is an attribute called "Authoriztion groups". I click on possible entry only to find an error of "No entries exist in table TPGP for application V".
I maintained the entry into TPGP, but how can I set individual user to have such an authorization group?
Shell I need to defind the authorization field by SU20 and assign this to object S_DEVELOP under the object class BC_C by SU21?
Thank you for your kindly advice
Regards,
Green Green
Answer:
Dear Experts,
I search some messages in this forum and found out part of the solution on today. To solve my problem mentioned above, is there any one of you that can help me to fill in the steps below?
Mr. John A. Jarboe, I hope you are here and could help me
1. In SE16, access table TPGP and create a new authorization group in application "V" (for customized ABAP/4 Programs start with Z* )
2. In SE#*, select the report you want to have authorization checking. Go to Attributes and assign the report with the authorization group you just created.
3. In SE38 execute report "RSCSAUTH", specify your program/report and application, then add back the Authorization group and save.
4........?????
I miss the part to assign user/logon id to this authorization group. How can I do so??
Thanks & regards,
Green Green
Answer:
You need to make sure that authorisation object S_PROGRAM is maintained for the correct auth group values in their roles.
Answer:
But how?
In PFCG, select particular Activity Group?
Green Green
Answer:
But how?
In PFCG, select particular Activity Group?
Green Green
Pretty much, yes.
I would recommend that you get hold of a copy of Authorisations Made Easy - you should be able to find it at www.sapbasis.org
This will give you all the steps to do something like this. Alternatively, your security team will be able to do this for you.
Answer:
I bet one jelly-baby that GreenGreen is the security team.
Tarr
Answer:
The best would be to select the role the reports go into and add the report to the role menu in PFCG. If a tcode does not exist, this will create a tcode which you can then go to SU24 and configure to have the correct athorization group for the tcode This way whenever you add th e report or tcode to any role the auth group assigned in SU24 will come into a role.
The authhorization group can them be added or changed woth report RSCSAUTH and the SREPOAUTH table transported and use the "restore" option to add it to production.
If you do not add the report to the role you will then have to add S_PROGRAM manually