Question:
Dear All,
We have some functionals who want to access all SAP transactions except some 50 critical transactions. Now, it is very difficult for me to provide them access to almost 40,000 SAP transactions in auth Object S_TCODE and then remove the critical ones. So, can you please show me a better way of restricting these users to few valuese and allowing them for the rest.
Thanks you.
Regards
Answer:
You can enter ranges instead of the individual transactions.
For instance, if you want access to all transactions except SCC4 you would fill in the S_TCODE authorisation box with A* to SCC3 then insert a new line with SCC5 to Z*.
So it will look like:
Transaction code A*-SCC3, SCC5-Z*
Obviously, it'll be more effort to build ranges to exclude 50 transactions but it's the way I'd do it.
Answer:
have a look at the important auth objects... for example s_develop, s_admi_fcd, s_tabu_dis, s_tabu_cli and the objects starting with s_user_*
Answer:
The auth objects are more important than the transaction codes. If the user can start a report (SA38 etc etc etc), they will be able to enter almost any transaction without having the tcode.
Infact, sometimes when they use the "esc" key, they will even not be authorized for tcodes which they do have.
Answer:
Dear All,
We have some functionals who want to access all SAP transactions except some 50 critical transactions. Now, it is very difficult for me to provide them access to almost 40,000 SAP transactions in auth Object S_TCODE and then remove the critical ones. So, can you please show me a better way of restricting these users to few valuese and allowing them for the rest.
I would like to SERIOUSLY question that approach.
There's far more danger in authorizations than 50 TCodes. Think of "create PO" and "release PO" in one role. If you don't bother to do a serious authorization concept, you'll have money walking out of the door pretty fast.
Can these "functionals" explain to you why they'd ever need so many transactions? Surely they must be business experts in all the areas, then?
Oh the folly....
Frank.
Answer:
Authorization objects like S_TABU_DIS, S_DEVELOP etc. have already been deleted from their roles. I now have to revoke some business transactions so that no entery could be made in production by the functionals.
Thanks
Answer:
Authorization objects like S_TABU_DIS, S_DEVELOP etc. have already been deleted from their roles. I now have to revoke some business transactions so that no entery could be made in production by the functionals.
Thanks
What would thy do with them in this case?
Frank.
Answer:
Our functional team wants display only rights to user transactions and IMG as they will be needing this in resolving day to day issues. They will not be able to access any transactions like PO create/release, MM01, MM02 etc neither they will be authorized for transactions through which they could do a create/change/delete in production. There are almost 40,000 plus transaction in SAP, auditors have pointed out some 50-150 transactions that shoule be revoked from the functionals so that they could not create/change/delete or even access critical business documents in production. This is why I wrote it here to know if I can revoke these 50 -150 transaction in S_TCODE.
I hope it clarify why i need this.
Best regards and thanks
Answer:
Then build a display only IMG role. It takes a bit otime but is possible. most of the tcodes are in the cus_acth . you can list thos in the role and then find the corresponding display tcode ( some are "toggle" tcodes where it converts to "disply if that is all the user has). There is another tables with all the S_ALRxx tcodes in it but it causes PFCG to get hung in a non-ending loop .
Answer:
THe table is cus_actobj not cus_actH