Question:
Hi Gurus,
I want to give a user restricted access to SM66. I want to restrict him from executing AL08 and SM51 which is possible via GOTO menu.
The object S_ADMI_FCD provides combined rights under PADM, NADM etc.
which allows more authorizations than required. I do not want to assign him these rights.
Is it possible?
Thks & Rgds,
Answer:
I believe your problem is that using the menu in SM66 does a CALL TRANSACTION for AL08 which does not require any authorization check at all, whereas the same user could not execute AL08 in the transaction window. The user would need S_ADMI_FCD with STOR to execute AL08 but does not need it to access it through the menu in SM66.
SM66 does not need S_ADMI_FCD to execute the initial screen but does require S_RZL_ADM 03 , which AL08 does not need.
It is therefore my guess that the menu in the SM66 screen allows you to go to Global user overview, via a call transaction without an authority check because it is assumed that if you would grant a user access to SM66 they certainly would be allowed a display of AL08. Consider solutions such as SHD0 and create a custom transaction for SM66 and then disable the menu options to create a simple method for a secured Display version of the SM66. I imagine there are other options, maybe a user exit or some other custom transaction others have created for this.
_________________
Gary Morris
SAP Security Analyst/Developer
garymorris@sapsecurity.net