Question:
Hello fellow knights of strong security,
I am working in an approx. 6000 User environment. The company has got a contractor who has access to the prod. box. in a nightly batch program run, a lot of spools are created under a specific background ID and with an auth. group attached to the spool. I want to give him access to only those spools. BUT: he also is able to display other spools unprotected by an auth group.
Works as designed
RIGHT solution would be to protect ALL spools by an auth. group. But that is not possible.
Any idea of OTHER solutions ???
Please share your ideas with me !
Thanks and best regards,
Stephanovich
Answer:
does he have __USER__ in S_SPO_ACT?
What values are in S_ADMI_FCD?
Answer:
The role content is as follows:
S_TCODE SP01
S_GUI 61
S_SPO_ACT ATTR,BASE,DISP,DOWN,PRNT,REDI,REPR,SEND for specific auth group
S_SPO_DEV *
S_SPO_PAGE *,*
S_ADMI_FCD SP01
that is all he has at the moment.
Answer:
Hi!
Yes I have an idea, I solved it 6 month ago.
You can add your own authorization checks to those already implemented in the authorization object S_SPO_ACT (Spool: Actions). An exit is provided for this purpose through the enhancement SPOOAUTH. Once the enhancement is activated, the function module EXIT_SAPLSPOR_001 is used for the check.
Hope I help you,
Miki