Note: This note was extended on November 12th 1996.
When authorization profile P_BAS_ALL, which is intended for HR endusers, is used, the general table display transactions (e.g. DI02) can be used to display tables from other applications.
Example: table KNA1 (authorization group VA) from application FI.
With the authorization profile P_TAB_ALL which is intended for the people who set up the HR System, you can use general table maintenance to change the contents of tables/views from other applications.
Note: The profile P_ALL also encompasses the named profile.
The profiles P_BAS_ALL and P_APL_ALL contain the authorization P_TABU_DIS (object S_TABU_DIS). Authorization groups A - O* and PB - XXXX are specified in authorization P_TABU_DIS (the assignment of authorization groups to tables is defined in TDDAT). Therefore, profiles P_BAS_ALL and P_APL_ALL enable you to display tables or views that do not belong to the PA authorization group (using the general table display tools).
The profile P_TAB_ALL contains the authorization P_TABU_ALL (object S_TABU_DIS) which allows tables/views of the authorization groups A - O* and PB - XXXX to be edited.
To restrict the display oe maintanance authorization to HR control tables, you need to limit the authorization groups in authorization P_TABU_DIS to PC and PS (all HR control tables or views should be assigned to either class PC or PS).
Procedure: Tools -> Administration -> User maintenance -> Authorization
Select item "Basis administration" from the list. Select item "Table maintenance (using standard tools like SM31)" and, from there, select authorization "P_TABU_DIS". In field "Authorization group for DD objects", enter values PC and PS (remove the areas A - O* and PB - XXXX). Then activate the authorization.
Additional key words
Security, Customizing
Keyword: authorization.
No comments:
Post a Comment