https://community.sap.com/t5/application-development-and-automation-discussions/restrict-providing-debug-access/m-p/4900242#M1144397 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>Well S_USER_AUT controls SU02 and SU03, and deals with the profiles directly, and not the roles, S_USER_VAL controls role maintenance.</P><P></P><P>But of course if you need to secure your landscape from given debug access this object should be controlled to. </P><P></P><P>But I'm not sure on the "how-to-control-this-in-SU24" - this would, I guess, require a trace, unless somebody else can provide this little detail</P><P></P><P></P><P></P><P>Regards</P><P></P><P>Morten Nielsen</P></BODY></HTML> Wed, 10 Dec 2008 09:11:44 GMT morten_nielsen 2008-12-10T09:11:44Z https://community.sap.com/t5/application-development-and-automation-discussions/restrict-providing-debug-access/m-p/4900232#M1144387 <HTML><HEAD></HEAD><BODY><P>Hi All,</P><P> We need to prevent the security team to enable debug access via role modifications (pfcg) as well as user changes (e.g. su01/pfcg -&gt; assign roles). Could you suggest ways of achieving this restriction?</P><P></P><P>Thanks,</P><P>Vijaya</P></BODY></HTML> Mon, 08 Dec 2008 08:46:41 GMT https://community.sap.com/t5/application-development-and-automation-discussions/restrict-providing-debug-access/m-p/4900232#M1144387 Former Member 2008-12-08T08:46:41Z https://community.sap.com/t5/application-development-and-automation-discussions/restrict-providing-debug-access/m-p/4900233#M1144388 <HTML><HEAD></HEAD><BODY><P>For the role-to-user assigment part I suggest you put your 'dangerous' roles in a different namespace so you can restrict assignment through S_USER_AGR.</P><P>To avoid them putting dangerous objects/values in the roles themselves I'd suggest training.</P></BODY></HTML> Mon, 08 Dec 2008 08:58:28 GMT https://community.sap.com/t5/application-development-and-automation-discussions/restrict-providing-debug-access/m-p/4900233#M1144388 jurjen_heeck 2008-12-08T08:58:28Z https://community.sap.com/t5/application-development-and-automation-discussions/restrict-providing-debug-access/m-p/4900234#M1144389 <HTML><HEAD></HEAD><BODY><P>Hi Vijaya,</P><P>You can restrict role modification access and user maintainance access by giving only display to below authorization objetcs :-</P><P></P><P>For PFCG/Su01 - S_USER_PRO</P><P> S_USER_AUT</P><P> S_USER_GRP </P><P> S_USER_AGR Give actvt field as 03 and 08 only. </P><P></P><P></P><P>Regards,</P><P>Sneha</P></BODY></HTML> Mon, 08 Dec 2008 09:04:19 GMT https://community.sap.com/t5/application-development-and-automation-discussions/restrict-providing-debug-access/m-p/4900234#M1144389 Former Member 2008-12-08T09:04:19Z https://community.sap.com/t5/application-development-and-automation-discussions/restrict-providing-debug-access/m-p/4900235#M1144390 <HTML><HEAD></HEAD><BODY><P>&gt; You can restrict role modification access and user maintainance access by giving only display to below authorization objetcs :-</P><P></P><P>And afterwards, what do you pay them for? That'll block them from doing their job alltogether......</P><P></P><P>In addition to my earlier reply, S_USER_AUT makes it possible to restrict the entering of S_DEVELOP alltogether. Unfortunately this blocks more that just debug rights.</P><P></P><P>Edited by: Jurjen Heeck on Dec 8, 2008 10:32 AM</P></BODY></HTML> Mon, 08 Dec 2008 09:13:07 GMT https://community.sap.com/t5/application-development-and-automation-discussions/restrict-providing-debug-access/m-p/4900235#M1144390 jurjen_heeck 2008-12-08T09:13:07Z https://community.sap.com/t5/application-development-and-automation-discussions/restrict-providing-debug-access/m-p/4900236#M1144391 <HTML><HEAD></HEAD><BODY><P>This message was moderated.</P></BODY></HTML> Mon, 08 Dec 2008 10:27:51 GMT https://community.sap.com/t5/application-development-and-automation-discussions/restrict-providing-debug-access/m-p/4900236#M1144391 Former Member 2008-12-08T10:27:51Z https://community.sap.com/t5/application-development-and-automation-discussions/restrict-providing-debug-access/m-p/4900237#M1144392 <HTML><HEAD></HEAD><BODY><P>&gt; </P><PRE><CODE><P></P><P>&gt; In addition to my earlier reply, S_USER_AUT makes it possible to restrict the entering of S_DEVELOP alltogether. Unfortunately this blocks more that just debug rights.</P><P>&gt; </P><P></P></CODE></PRE><P>S_USER_VAL could be used I suppose, it would be a nightmare to get it working to exclude just debug access though</P></BODY></HTML> Mon, 08 Dec 2008 10:45:08 GMT https://community.sap.com/t5/application-development-and-automation-discussions/restrict-providing-debug-access/m-p/4900237#M1144392 Former Member 2008-12-08T10:45:08Z https://community.sap.com/t5/application-development-and-automation-discussions/restrict-providing-debug-access/m-p/4900238#M1144393 <HTML><HEAD></HEAD><BODY><P>&gt; S_USER_VAL could be used I suppose, it would be a nightmare to get it working to exclude just debug access though</P><P>Thanks for that. </P><P>I agree on the nightmare remark.</P></BODY></HTML> Mon, 08 Dec 2008 10:51:44 GMT https://community.sap.com/t5/application-development-and-automation-discussions/restrict-providing-debug-access/m-p/4900238#M1144393 jurjen_heeck 2008-12-08T10:51:44Z https://community.sap.com/t5/application-development-and-automation-discussions/restrict-providing-debug-access/m-p/4900239#M1144394 <HTML><HEAD></HEAD><BODY><P>I think you should be able to restrict the Object Type field without too much effort, and removing it completely may be advisable anyway. Combining it with more granular activity field values would probably not work though (because of the combination and use in many other objects as well).</P><P></P><P>Cheers,</P><P>Julius</P></BODY></HTML> Mon, 08 Dec 2008 11:38:24 GMT https://community.sap.com/t5/application-development-and-automation-discussions/restrict-providing-debug-access/m-p/4900239#M1144394 Former Member 2008-12-08T11:38:24Z https://community.sap.com/t5/application-development-and-automation-discussions/restrict-providing-debug-access/m-p/4900240#M1144395 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><PRE><CODE><P>S_USER_VAL could be used I suppose</P></CODE></PRE><P> </P><P></P><P>This is correct if your are facing are "training" issue here, but if you want to <STRONG>secure</STRONG> it, you will need to control SU24 as well. </P><P></P><P>The S_USER_VAL is only checked if the object is maintained manually, not if it's granted through the default values for a transaction in SU24. And it is not checked when maintaining default values in SU24.</P><P></P><P>This might ofcourse be a bug - I haven't checked the OSS for this</P><P></P><P>Regards</P><P>Morten Nielsen</P></BODY></HTML> Wed, 10 Dec 2008 08:19:46 GMT https://community.sap.com/t5/application-development-and-automation-discussions/restrict-providing-debug-access/m-p/4900240#M1144395 morten_nielsen 2008-12-10T08:19:46Z https://community.sap.com/t5/application-development-and-automation-discussions/restrict-providing-debug-access/m-p/4900241#M1144396 <HTML><HEAD></HEAD><BODY><P>Hello Morten,</P><P>Should this not be the case for S_USER_AUT as well, i.e. if the object S_DEVELOP is defaulted by SU24 by addition of a transaction in the role it is not going to restrict the security admin from generating the role?</P></BODY></HTML> Wed, 10 Dec 2008 08:52:11 GMT https://community.sap.com/t5/application-development-and-automation-discussions/restrict-providing-debug-access/m-p/4900241#M1144396 Former Member 2008-12-10T08:52:11Z https://community.sap.com/t5/application-development-and-automation-discussions/restrict-providing-debug-access/m-p/4900242#M1144397 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>Well S_USER_AUT controls SU02 and SU03, and deals with the profiles directly, and not the roles, S_USER_VAL controls role maintenance.</P><P></P><P>But of course if you need to secure your landscape from given debug access this object should be controlled to. </P><P></P><P>But I'm not sure on the "how-to-control-this-in-SU24" - this would, I guess, require a trace, unless somebody else can provide this little detail</P><P></P><P></P><P></P><P>Regards</P><P></P><P>Morten Nielsen</P></BODY></HTML> Wed, 10 Dec 2008 09:11:44 GMT https://community.sap.com/t5/application-development-and-automation-discussions/restrict-providing-debug-access/m-p/4900242#M1144397 morten_nielsen 2008-12-10T09:11:44Z https://community.sap.com/t5/application-development-and-automation-discussions/restrict-providing-debug-access/m-p/4900243#M1144398 <HTML><HEAD></HEAD><BODY><P>&gt; But I'm not sure on the "how-to-control-this-in-SU24" - this would, I guess, require a trace, unless somebody else can provide this little detail.</P><P>It looks like the concept was revised a while back already, and the maintenance checks in SU24 were replaced by S_DEVELOP checks (for object types SUSK and SUST).</P><P></P><P>According to SAP notes, the checks on S_USER_VAL are intentionally not included in the maintenance.</P><P></P><P>So... if you restrict S_USER_VAL to exclude the debugging and remove it from the "Proposal" indicators and do not assign S_USER_AGR authority for the role(s) which <STRONG>do</STRONG> have the debugging in them - then it might work (unless the user has even stronger authority to create programs of their own).</P><P></P><P>Cheers,</P><P>Julius</P><P></P><P>Edited by: Julius Bussche on Dec 10, 2008 11:12 AM</P></BODY></HTML> Wed, 10 Dec 2008 10:10:13 GMT https://community.sap.com/t5/application-development-and-automation-discussions/restrict-providing-debug-access/m-p/4900243#M1144398 Former Member 2008-12-10T10:10:13Z