topic Re: Restrict Authorization in Application Development and Automation Discussions

Restrict Authorization

former_member759680 — Thu, 12 Feb 2009 05:58:07 GMT

Hello,

I have taken all precautions to restrict authorizations to users in a system, still some of them are able to execute SCC4. I think there is some report/function using which you can execute transactions which you do not have access to.

Could some one please tell me the name of that report and how I can restrict it.

Thanks.

Re: Restrict Authorization

Former Member — Thu, 12 Feb 2009 06:14:49 GMT

Hi Gautam,

Please check whether user is having access to display all tcodes, if so you need to take the tcode from s_tcode object from that role.

Check in SUIM tcode >>> transactions executable for user and check whether this tcodes exits or not.

Re: Restrict Authorization

Former Member — Thu, 12 Feb 2009 06:21:50 GMT

Make sure param rec/client is set to ALL, and check tocde SCU3 for changes to table T000.

ALL = all clients... the changes can be made from other clients...

Cheers,

Julius

Re: Restrict Authorization

former_member759680 — Thu, 12 Feb 2009 06:26:52 GMT

Julius,

The thing is he is able to access a lot of other restricted Tcodes, not just SCC4. I just wanted to know if there are any loopholes that we, as security admins should do to block these loopholes.

Re: Restrict Authorization

Former Member — Thu, 12 Feb 2009 08:45:38 GMT

Hello,

Check whether users has any super role access? If so, then he will be able to access all the T-codes.

You can create a role and add only those T-codes he/she needs acces.

Regards,

Geetha

Re: Restrict Authorization

jurjen_heeck — Thu, 12 Feb 2009 08:56:32 GMT

> Check whether users has any super role access? If so, then he will be able to access all the T-codes.

Super role? What should that be?

I'd suggest to do a complete user compare for the user, and afterwards have a look in SU01 to see which profiles are actually linked to the user. Make sure those are only the profiles belonging to your roles.

Re: Restrict Authorization

Former Member — Thu, 12 Feb 2009 20:42:50 GMT


> Julius,
> 
> The thing is he is able to access a lot of other restricted Tcodes, not just SCC4. I just wanted to know if there are any loopholes that we, as security admins should do to block these loopholes.

Which release are you on?

Assuming it is 6.40 or higher, go to tcode SUIM (or report RSUSR002) "Users by Complex selection criteria" and run it for Object 1 = 'S_DEVELOP' Activity = '16' ObjectType = 'FUGR'.

Do any of the users turn up?

Also, where are you getting this information from that they are (successfully) starting tcode SCC4? Are they also using it (making changes)?

Cheers,

Julius

Re: Restrict Authorization

Former Member — Fri, 13 Feb 2009 00:23:35 GMT

OK - I'll join this thread.

If you know it's not a SAP_ALL profile - do the following to check the offending role/roles:

1. Go to SU01->Roles and copy all the roles assigned to the user.

2. Go to SE16->AGR_1251->ROLES-> paste all the roles, OBJECT-> enter S_TCODE, VALUE-> enter SCC4 then Execute.

This should display all the roles that gives access to SSC4. You can even do ranges on the value like S* to T*. You can also run PFCG and click on transaction and enter SCC4, roles having that tcode will be displayed.

Good Luck!