Question:
someone need se38 to excecute a program and i want to restrict him to just that program.I try to do this by s_develop and s_program,it seems that it is not effetive .who can tell me how to do that ?
Answer:
Better to convert your specific program to a tcode by your abap programmer. SE38 is usually used by developers and not by ordinary users.
_________________
maktub!
sapbc_ph
Answer:
yes.
but I just want to restrict the power of developers.
Answer:
SE38 is for development of code and SA38 is for executing reports on a regular basis.
S_PROGRAM and the auth group controlls access to running the report and S_DEVELOP controlls access to maintenance of the report with a side benefit of execution ( still need S_PROGRAM).
You cannot limit a developer to ONE report but to a development class.
you can sonroll a user to ONE report by assigning and authorization group to the report and ensure only that report has that auth group and then limiting the user to S_PROGRAM and ONLY that auth group.
_________________
John A. Jarboe
Answer:
What you really want to do is create a new transaction (using SE93) that executes that report. Assign the new transaction to a role and assign it to a user. Don't assign SE38. You may find if you do a "where-used" that the report is already assigned to a transaction code.
Professor Jarboe's advice is ok as long as every other Type 1 program in the system has an authorization group that isn't assigned to the user. The transaction code method is a no-brainer.
_________________
bwSecurity
Answer:
A tcode is ok if the the user does not have navigation ability. controlling S_PROGRAM on a truely executable report with the auth group will ensure the user can or cannot run the report regardless of the call method.
Report RSCSAUTH will quickly let you determine which reports the user can execute given S_PROGAM with an auth group value. note also that all executable reports ( type 1 and coded to submit) without authorization groups can be executed by a user with System->Status navigation ability and do not need SE38 or SA38 or a tcode.....
_________________
John A. Jarboe
Answer:
Navigation ability through system status requires S_DEVELOP with 03 for object type PROG (etc.) This should not be assigned to end users. There is some residual risk with production support team but the more egregiously risky type 1 programs should be controlled with authorization groups.
If you are endowed with a big security support aparatus you could assign auth groups to every type 1 program. It is very secure but it is very expensive.
_________________
bwSecurity
Answer:
Protecting the test environment is an admirable thing to do.
Using s_program on all submitable reports... I am not convinced of the benefit yet considering the cost of administering it.
There are some you cannot protect, so why additionally protect those with okay checks in them ahead of the correct call, which reacts to the check and holds it for sudden departures or backwards navigation... i.e. the check for the user to access the screen (program) from possible navigation methods is okay in form etc?
If someone still wants to find their way around all the calls, menus, SU53 help, scripting, rfc or any one of them with an unfortunate performance, then hats off to them.
Make sure you pick it up in monitoring so that you can employ them in the security department (they are likely to be better than 99% of the current security companies have).
Personally, I am not convinced of the incomplete benefit, considering the considerable costs.