Question:
Hi,
I ceated a test role with only one transaction scc4. Then I went to PFCG authorisation tab and various tables to see the results.
Let me summarise what I should see first:
1. su24 first screen corresponds to usobx_c, where Y matching C/M, X matching C.
2. su24 "filed values" corresponds to usobt_c. only default values for C/M objects.
3. PFCG corresponds to su24 with the C/M objects filled with default values(green) or in yellow to be maintained.
--- Is the above statement correct?
What I saw is:
1. usobx_c: s_develop and s_tcode with X, s_tabu_cli and s_tabu_dis with Y. SU24 seems correct.
2. usobt_c: s_tabu_cli unmaintained; s_tabu_dis with 01, 02 and 03 for SS.
SU24 field values seem correct too.
3. in PFCG, I saw B_ALE_CGRP in AAAB was brough in unmaintained in yellow and s_tcode with value scc4 in green. no s_develop bringing in.
My questions:
1. since s_develop is C in su24, so shouldn't be brough in PFCG, which is correct.
2. but why s_tcode with C was brought in even with a default value scc4?
3. why B_ALE_CGRP was brought in as well?
Answer:
1. since s_develop is C in su24, so shouldn't be brough in PFCG, which is correct. Only authorization objects except S_TCODE with C/M are brought into PFCG
2. but why s_tcode with C was brought in even with a default value scc4?
3. why B_ALE_CGRP was brought in as well?
Answer:
1. since s_develop is C in su24, so shouldn't be brough in PFCG, which is correct. Only authorization objects except S_TCODE with C/M are brought into PFCG
2. but why s_tcode with C was brought in even with a default value scc4? you placed the tcode in the menu so S_TCODE is filled from there, the S_TCODE in SU24 is if you need an additional tcode you do not want in the menu.
3. why B_ALE_CGRP was brought in as well? if the column C/M was marked it was brought in.
The values in SU24 are not 100% accurate and need to be adjusted to meet your control needs and to correct the errors. If the tcode uses S_DEVEOP then you have to add it if it does not there is not need for it, a test of the role will tell you or a ST01 Authorizaiton trace will also show what is checks for the PATH you took in the tcode , not all authorizations,
Answer:
Hi John,
As always, my greate appreciation of your kind help.
just for 3), B_ALE_CGRP was not in su24 or usobt_c or usobx_c at all. I am wondering why this was brought in.
Answer:
Even though this topic is quite old, someone may be interested in the answer:
B_ALE_CGRP was brought in as well because SCC4 is a parameter transaction to SM30. You can see it from the SU24 transaction list (column Tcode (original)).
If you have a look at the values for SM30 you will detect object B_ALE_CGRP marked as C/M (in basic release 4.6b).
Parameter transactions inherit the objects and field values from the called transaction as far as they are not overwritten by the definitions for the parameter transaction itself.