Question:
Hi guys,
I created a role with just two transaction codes : SM50 and SM51.
When I execute SM51 by surprise I can select the server, goto menu,
the OSMonitor (ST06).
But I don't want the user to dispay the OSMonitor, that why I created
the role with only 2 tcodes (SM50 & SM51).
My questions: 1 / Why there is no authorization check on SM51 ?
2/ Why from SM51, and can execute ST06 through the menus (goto, osmonitor) ?
Thx
Didier
Answer:
Why there is no authorization check on SM51 ?
Probably because it's not a business transaction. It's covered by S_SYSTEM profile.
Answer:
llok into SU24 you will see taht default check is only on S_ADMI_FCD, but there are a lot of checked and some unchecked objects that you can probably use.
Answer:
Dimpengi,
SM51, SM50 are only protected by the transaction code. Note that
in order to make changes there (kill processes etc.) you do need
the S_ADMI_FCD authorizations. Display access is without further
authority-checks.
If you're able to navigate through the menu to other transaction codes,
note that either (1) you have already the necessary authorizations
(e.g., S_TCODE TCD ST06) or (2) you're on an old SAP release where
call transactions did not yet trigger an S_TCODE check...
Personally, I don't see a real problem in this area. If users don't need
to get there, don't give them the transaction code. If they do need to
go there, then don't give them the (defaulted!) S_ADMI_FCD object
if you don't want them to change anything....
good luck.
regards,
Wouter