Hi,
Yes i am speaking about Time Zone, decimal Notation, Parameters addition only. Actually for all the users Security team will be doing but for Self we have given access to SU3.
As of now we have given to all for Tcode SU3, but now we need to restrict with display access with SU3 for some users and we have list too.
Thanks in advance for your time.
Hi Hima Bindu
Remove the role which has SU3 tcode from all the users and assign that role to the users who should change Time Zone, decimal Notation, Parameters additiond by them self then , as per your requirement, which I am not happy about it any way.
For all the others users, security team will look in to it
I am not considering to go to ABAP er for creating of custom tcode for Su3 ..
SU3 is basically for change and SU01d is basically for display
Howzz thaaat ??
Cheers
Pavan M
Hi Pavan,
Thank you. Obviously good. In SU01d we have not only Address, Parameters tabs but also roles and some other tabs and its not required for users...
We require SU3 for all with change but only few with SU3 display.
I tried adding many auth. objects related to that but its not getting restricted.
If the problem persist
Look at the object that have the value Z123 , Z124, once you have the roles check if more than one are assigned to the user, please remember that the user authorizations are added depending the number of times that the object its added.
Hi,
There are a few options, a couple of them are
1. Find an appropriate enhancement point in SU3 to add some additional display logic that will will allow you to toggle update / display based on an authorisation value.
2. use SHD0 to create a variant that has only display, assign that to to a custom tcode and get the display-only users to use that.
Adding auth objects to roles won't control something (like SU3) that hasn't been coded with the checks in place to start with.
We recently upgraded SRM4.5 to SRM7 SP01. We are using extended classic scenario. We exported security admin portal roles from SRM4 and using them in SRM7 portal. However one of the iView to enter EBP user master does not open properly. When we click on the menu to enter user master "MANAGE USER DATA" then iView open in new window with X mark in center of page and trying to load the page layout but no outcomes. We checked SICF for bbpusermaint service but we did not find bbpusermaint but we found BBPUM01 (admin service for User Administration. which is active. Also all other services relevant to BBP are active as well. The iView name is com.sap.pct.srm.ebp.bbpusermaint. I did some research on note 1008689, 1088717, 603624 but these notes are relevant. Please find the attached screen
What could be the reason that iView is not loading the layout? Did I miss to activate any business function or service?
I would deeply appreciate your suggestions?
Thanks,
Hi Alex,
Thank you for the response.
As it is standard and we dnt have any permissions for opting enhancements.
Custom tcode is not recommended, so we need to check with standard only.
Gurus,
I have a question on RAL configuration/setup (appl.comp BC-SEC-RAL) on NW74 SPS5 release.
I am trying to configuring recording (dynpro channel) and eventually create a configuration based on the recording.
I am running GUI 7.30 to start the tcode I am trying to record fields from. I can see the 'from the context menu. I am marking some fields for recording on the abap dynpro application.
After I am done with it, I come back to the 'create recording screen' on the 'Administration' tab and stop the recording. When I open it for contents, it is empty. And it seems that you can only create a new Configuration by using an existing recording/program-name.
If you are successful at it, would you please hint at what am I missing.
Thanks,
Pawan.
Thanks everyone!!
Best Regards,
Naveen
Hi All,
I have a question on supplier view of purchase order history in supplier network configuration.While comparing two purchase order numbers using history comparison button,user is facing No authorization for this Navigation error.This error is in web UI, so not sure how to find out the error 
.Please help me in this.
Refer to the above screenshots and help me.Thanks in advance
In portal also user should have the proper access(User admin rights) and also check the communication user access ABAP and UME config, and also check the is UME is source system or not?
Hi Pawan,
I have just done, what you said in the exact order and it works fine for me. Did you check your recording by clicking the glasses next to it, was this one empty? Did you select Read Access Loggong -> Record field for all the fields you want to get logged?
Regards,
Patrick
Question: would the German Data protection authorities have an issue with activating this level of logging?
Hi Frank,
I our productive enviroment I am getting many times the message BU 4 "Dynamic ABAP Coding: Event &A Event Type: &B Checksum: &C" but according to your post (and my old screen capture) the BU 4 message should be for "Transport Request &A Contains Security-Critical Source Objects".
I searched but could not find anything about this issue...what do you recommend beside good luck :-)?
Thanks,
dionisio
Hi Experts,
We have a requirement to restrict SOST t-code for display only.
But, as this is an Admin t-code i couldn't find a way to restrict this t-code via auth. objects/values.
Hence, i tried SOSB which is not having Delete button/Access. But, SOSB only shows the requests for the user/sender who has logged in and not for all the users/senders.
Can you please let me know if there is a way we can make SOSB to show requests pertaining to all the senders/users.
Thanks for your help 
Hello,
We are facing an strange issue related to BI authorizations. We have to
restrict users in query designer such that they cannot edit any query
with the name starting from Z*. They should be able to copy the Z*
queries to Y* names and should have full access to edit these Y* queries only.
But the problem is that as soon as we give access to edit the Y* queries to these users they have access to edit Z* queries as well. In the ST01
trace we found that there is a dummy check on S_RS_COMP object for all
the fields except ACTVT. Hence if we give access to ACTVT=02 they have
change access for all the queries Z* as well as Y*.
The trace looks like this:`
S_RS_COMP RC=4 RSINFOAREA= ;RSINFOCUBE= ;RSZCOMPTP= ;RSZCOMPID= ;ACTVT=06;
S_RS_COMP RC=0 RSINFOAREA= ;RSINFOCUBE= ;RSZCOMPTP= ;RSZCOMPID= ;ACTVT=02;
As you can see it doesn’t check for any values in RSZCOMPID which is the most important field where the restriction is in place.
This is not normal, as I do remember there was always a check on this field and we could have easily restricted this user.
Note: I am able to perform edit operation with this user for Z* queries but if I try to do “Save As” it will not save any query in the Z* format it will give no authorization error message. This is good as it lets you save this only in Y* format. Hence my restriction only works while copying this query to some other name only. 
Hi Patrick,
Thank you for the response.
I am able to get the recording and setup configuration with log group/context and eventually view the logged records if I choose the 'webdynpro' channel.
It does not work for the 'dynpro' channel though. I start the dynpro recording
and switch over the tcode SU01 and when I ctrl+right-click, the context menu shows up with the 'Record Field' option and I choose it:
I close the application and go back to the recording and it is empty
I am guessing because the recording is empty, it does not let me create configuration in the next step.
Regaqds,
Pawan.
Hi Ravi,
Yes, You are right. SOST is a administrator tcode and you could not restrict it via auth. objects/values. That's the reason we used SOSB & SOSG to restrict the SOST transaction.
836463 SOSB/SOSG: Displaying/hiding functions (if you are above 640 this note is already present)
If you want a user is only allowed to select send requests of certain users or groups, you can use transaction SOSG. This is same as SOST, but it performs authorization check in object S_OC_SOSG instead of S_OC_ROLE. Again if you want a user to be able to only select their own send requests then use SOSB.
So I prefer to use SOSG, where the authorization object S_OC_SOSG have three fields, which you can maintain as per your requirement.
CLASS User group in user master maintenance
USER User Name in User Master Record
SENDER Authorization for displaying send requests for particular
users/user groups.
Regards,
Rafikul
Hi Team,
In SU01, i am unable to see composite roles. Only single roles are visible.
Recently system refresh happened in import/export method for User master data.
After refresh only this is happening. No authorization problems, but composite roles are not visible, but the single roles under composite roles only visible.
Please suggest, what happened and what is the resolution.
Thanks,
Sankar.
Hello Sankar, what happens if you add acomposite role to the user in su01? Can you see the user assigment in pfcg for the compsite role? regards, Bernhard