Question:
Dear SAP security fan club,
I have some issues to ask all for the solution.
We would like to restrict using SE16 so we try to create SAP query to get data from simple table such as BKPF. We assign a new t-code to that SAP query to use this one instead of SE16. Unfortunately, we found that we can't control authorization in SAP query. For example we can't restrict user to run data only his/her company. If the users can use the query, they can get data from others company also. Anyone has idea to control authorization for this case.
Best Regards,
Answer:
Do not use Query.
You should not be running reports in query directly off BKPF you MUST use the logical database provided by SAP to get the correct answer. In the Logical database SAP builds in AUthorizaiton checks so you can control on Company code and restrict access.
Answer:
If you want to restrict line items through SE16 you can do this via S_TABU_LIN (depending on the release you are working on)
It will take a while to set up and in many cases there are easier ways to get the info. There is not a lot of documentation out there about it but the object documentation should be enough to get you going if you really want to do it this way
Answer:
Listen to John. Get away from users running manual queries on production data. Get an ABAP written, use the logical database, or have them pull data to BW. SE16 in production is resource intensive, and a big smackdown is coming from the audit department if endusers are utilizing it in production.
_________________
"SOX.. hmm .. Aren't they the baseball teams in Boston and Chicago?"
Kind Regards,
IamEvilHomer
(Wayne)
Answer:
Dear All,
Yes. Now we were forced from auditor to remove t-code SE16 from users because of this t-code can see data from any company or sale organization without authorization control. So I try to find solution instead of SE16. We would not like to create more programs. Because if I choose this way it will load for us to create program for each table. For your advise to use S_TABU_LIN to control line item, it 's great if we can success with this because we will not modify more ABAP program. Can you give me where website we can search to get info. to set up this?
Best Regards,
Answer:
There is not a lot of info around on S_TABU_LIN.
You may find something if you use the search on this site. Alternatively the info provided for the auth object (e.g. via Su21) may give you something to work with.