Question:
How do I keep people from using SNOTE?
Answer:
Don't give them role/profile with SNOTE in it.
_________________
Sandi
~~~~
Apparently Father Christmas, the Easter Bunny, the Tooth Fairy and Star Wars aren't real
Tuly kiwi.
Answer:
Cute, Sandi, no wonder I made you a Super Mod.
I figured out a way to do it, it is ugly but it works. In the S_TCODE authorization object, I removed the * and replaced it with 2 ranges: /0 - SNOTD and SNOTF - ZZZZZZZZZZZZZZZZZ. It seems to have done the trick.
Answer:
Cute, Sandi, no wonder I made you a Super Mod.
I figured out a way to do it, it is ugly but it works. In the S_TCODE authorization object, I removed the * and replaced it with 2 ranges: /0 - SNOTD and SNOTF - ZZZZZZZZZZZZZZZZZ. It seems to have done the trick.
yup, been there, done that in the past... ugly but works.
snowy
_________________
SapFans Moderator
NetWeaver ‘04–SAP Web AS for ORACLE certified
Search: /forums/search.php
SAP Notes: http://service.sap.com/notes
SAP Help: http://help.sap.com
Basic Rules: /forums/viewtopic.php?t=222759
Answer:
Cute, Sandi, no wonder I made you a Super Mod.
I figured out a way to do it, it is ugly but it works. In the S_TCODE authorization object, I removed the * and replaced it with 2 ranges: /0 - SNOTD and SNOTF - ZZZZZZZZZZZZZZZZZ. It seems to have done the trick.
So Sandi's advice was right then
Answer:
In a bizarre kind of way. What SAP means to add to pfcg is to allow the use of S_TCODE = * but allow for an exclusive list per role. Like we can do for a client copy by excluding tables from being copied.
Answer:
You asked the question is such a way that you got the answer you deserved.
Ask a simple question get a simple answer.
You didn't say what you'd checked. You didn't say what role/profile you wanted change which currently had the access and auths contained there-in.
Provide specific info, get a specific answer.
_________________
Sandi
~~~~
Apparently Father Christmas, the Easter Bunny, the Tooth Fairy and Star Wars aren't real
Tuly kiwi.
Answer:
In a bizarre kind of way. What SAP means to add to pfcg is to allow the use of S_TCODE = * but allow for an exclusive list per role. Like we can do for a client copy by excluding tables from being copied.
The problem with that sort of functionality is that you don't give anyone S_TCODE=* and not accept the risk that with the right object access, they can do pretty much they like. In your example of SNOTE, pulling that from a t-code range will still let the user do a whole load of other really nasty things unless you have controlled it at object level too.
Answer:
Jeepers, Sandi - how many years have we been working together? You should know me by now, if I ask "How do I keep people from using SNOTE?" you know I have been doing this for like a million years and am asking for some out-of-the-ordinary solution.
And actually AI., if you work for a consulting company, and you need to grant a sort of SAP_ALL minus some important Basis functionality role, you gave everyone as much as you can in DEV.
Answer:
Jeepers, Sandi - how many years have we been working together? You should know me by now, if I ask "How do I keep people from using SNOTE?" you know I have been doing this for like a million years and am asking for some out-of-the-ordinary solution.
And actually AI., if you work for a consulting company, and you need to grant a sort of SAP_ALL minus some important Basis functionality role, you gave everyone as much as you can in DEV.
Using your example, do your users still have access to SE38/SA38/SE84? If they do then you haven't restricted access to SNOTE
Hacking about with SAP_ALL is a bodge and nothing more. Regardless of system, users should have access to do what they need to & SAP_ALL minus a few Basis transactions pulled from S_TCODE does not give adequate control without a fair bit of additional work to support that.
Finally, I am interested that you advocate giving everyone as much as you can in Dev - maybe you work on tiny implementations where control over your development box is not deemed important, I really hope for your sake someone doesn't take liberties with all your freely given access!
Answer:
Jeepers, Sandi - how many years have we been working together? You should know me by now, if I ask "How do I keep people from using SNOTE?" you know I have been doing this for like a million years and am asking for some out-of-the-ordinary solution.
And actually AI., if you work for a consulting company, and you need to grant a sort of SAP_ALL minus some important Basis functionality role, you gave everyone as much as you can in DEV.
I don't make assumptions about anyone's experience. I answer each question based on the way it asked.
Your statements about a development system are somewhat generalised, not everyone sets up Dev the same. Some places include a copy of Prod in Dev, (this is not the main QA client) to for development and basic functional testing. If this is the case then ropey copies of SAP_ALL are not appropriate.
_________________
Sandi
~~~~
Apparently Father Christmas, the Easter Bunny, the Tooth Fairy and Star Wars aren't real
Tuly kiwi.