Question:
Hi,
We found that when a user calls a transaction, it may fail due to lacking another transaction in the background being called. SU53 shows no this tcode in s_tcode. If the security to be rolled out, it would be too frustrated if every time we can discover this only by asking users to run su53.
How should we address such problems? can we add the background tcode to s_tcode in table USOBT_C, so that this background tcode will be added in PG whenever we add the main transaction in the menu?
Appreciate your thoughts on this matter.
Answer:
Working as designed SU53 IS the way for th euser to communicate to you what is wrong. If there is a batch job ( background) you can run a ST01 authorization tace or read SM21 or St22 for some clues.
But as a security person you should be unit testing the role and finding these "SU53" before you turn it over to the user. You can also give the user broad access and have them run the tcode in development with a ST01 authorization trace turned on and find most of the authorization objects required.
Your options in configuring SU25 are two 1. you can add the tcode to S_TCODE for the Calling tcode in SU24 OR you can configure SE97 NOT to check S_TCODE for the called tocde if called by the Calling tcode.
Answer:
Hi John,
are you sure it is se97? My system doesn't have se97. my system is 46B
Answer:
SE97 may be a 4.6c+ option you can try SM30 table TDCOUPLES
Answer:
SE97 may be a 4.6c+ option you can try SM30 table TDCOUPLES
I even searched TDC* no such a table in data dictionary
Answer:
the table is TCDCOUPLES
Answer:
SE97 may be a 4.6c+ option you can try SM30 table TDCOUPLES
Are u saying that TCDCOUPLES contain the list of called tcodes that the calling tcode is calling?
Answer:
TCDCOUPLES contains the list of transaction codes which are trusted if called by the calling transaction. I.e. they are a couple.
See for example the couples of the infidel STMS. Then take a look at the menus of STMS's screens and test the transactions you can call, without tcode check or auth object check at Tcode start.
The real checks are in the code.
Ned