topic Re: users able run tcode without access in Application Development and Automation Discussions

users able run tcode without access

Former Member — Fri, 28 Jul 2006 09:55:53 GMT

Hi All,

Some of our users are able to run transaction code AL11 with out having access to it.when i search in suim for the role which has AL11 value in S_tcode and is assigned to the user, it says no role found..but the users are able to run it...How is it possible ? I check in debugging mode, AUTHORITY-CHECK statement is successful.

Can anybody tell why this is happening so..

Thanks,

Chittaranjan

Re: users able run tcode without access

Former Member — Fri, 28 Jul 2006 10:00:33 GMT

Search alternately in P_TCODE, Q_TCODE etc.

Re: users able run tcode without access

Wolfgang_Janzen — Fri, 28 Jul 2006 10:01:13 GMT

Please check if a reference user is assigned to that user. Authorizations (contained in roles and profiles) assigned to that reference user will be "inherited" to the user.

Debugging is not possible, but tracing (using transaction ST01 - notice: this tracing is server-specific; when using load-balancing keep in mind to activate and evaluate the trace on all servers).

When starting ABAP transactions the authorization object S_TCODE (and potentially other authorization objects assigned to the transaction) is checked.

Being logged on as that user, call transaction SU56 to display the effective authorizations assigned to that user.

Re: users able run tcode without access

Former Member — Fri, 28 Jul 2006 10:56:58 GMT

I found that I have maintained values as folows..

for S_TCODE object..

to avoid giving access to AL11 ,

S_TCODE from A...............to AL10

and again from AL12*.............to OB51 .

with this users are having access to AL11...though it is not coming in any report of SUIM...

If i change it to following then..it works fine..

S_TCODE from A...............to AL10*

and again from AL12*.............to OB51 .

So, because of A*, users are having access..

Please give some input on this .I think if i maintain it as A in stead of A*...users will loose access to some tcodes in between A-AL10 .

Re: users able run tcode without access

Former Member — Fri, 28 Jul 2006 11:21:11 GMT

SAP does use the FROM -> TO logic you are trying to use here, but if you use wildcards like * then they get loaded aswell.

The auth check against S_TCODE = AL11 is satified when it finds A* in the FROM field. THe TO field only provides an end (if maintained) and does not delimit FROM even if it is maintained.

Are you sure there is nothing else (perhaps more critical than AL11 and OB52) in the range between AL12 and OB51 which you would want to restrict?

Re: users able run tcode without access

Former Member — Fri, 28 Jul 2006 12:01:52 GMT

jbussche is absolutely right, the A* needs to be replaced with "from A to AL10" if you need to use a range in this role.

As to the initial question about why a report on S_TCODE did not show a role with this transaction: The logic behind the SUIM reports works differently between different reports. My all time favourite report for this job is "S_BCE_68001423 - In Roles" - the "where-used list" looks at the S_TCODE values and picks up ranges, in a way that some of the other reports don't. S_BCE_68001420 - By Transaction Assignment for example, in the recent application of sap_basis 620_sp 58, has been renamed to say "Selection by assigned transaction in Menu". Meaning that if the tcode is on the menu it will find it, but if it has been manually maintained it won't be found

-I suppose the logical next step is SE16n > table AGR_1251 with a filter on S_TCODE, but the where used report is a quicker way of getting to the same point.

Re: users able run tcode without access

Former Member — Fri, 28 Jul 2006 16:00:42 GMT

An alternate way of checking it would be to look in ust12 searching for objct = tcode and von = AL11.

Then select all entries from ust12 where the bis field is <> nothing and query the result to return the list of auths where von is <= AL11 AND bis is >= AL11.

Then run report rsusr405 and wait about an hour.

Combine the two results and go looking in usrbf2 for any bname which has any of the combined list of auth for object s_tcode.

Re: users able run tcode without access

christian_wippermann — Mon, 31 Jul 2006 10:09:38 GMT

Hello,

are you sure AL11 is the only transaction that you do not want to assign in the S_TCODE range you assigned? I am not.

SAP auditors do not like S_TCODE ranges. These roles are not controlable. They require an unmanagable amount of manually added authorization objects. SU24 (tables USOBT_C, USOBX_C) cannot be used. As you mentioned SUIM reporting does not work properly. Finally, tools that help managing SoD (Segregation of Duties) risks have problems addressing these roles.

I would strongly suggest to get rid of roles with S_TCODE ranges.

Just my oppinion,

Christian

Re: users able run tcode without access

Former Member — Mon, 07 Aug 2006 22:20:45 GMT

If you replace the A* with A it will work. even with AL01-AL10. If you need a confirmation check with some predefined roles which holds ranges.

for example SAP_ADM_US template.

Re: users able run tcode without access

Former Member — Tue, 08 Aug 2006 02:55:12 GMT

I forgot to specify. in SAP_ADM_US template I am referring to User group range specification under S-USER_SAS object. logically specifing A instead of A* will work.

Re: users able run tcode without access

Former Member — Sun, 10 Sep 2006 13:49:02 GMT

Hey Chitta,

Just try AA* to AL10* and AL12* to OB51 in the range.

This is how it works out for me...

Let me know if its still a problem, or else if its OK then its great.

As advised earlier, use this trick only in Display all roles and u must already be aware that Auditors do hate Ranges in S_Tcode

Br,

Sri

( dont forget to award me any points if my trick is helpful)

Message was edited by: Sri Raghu Kishore Pusapati

Re: users able run tcode without access

Former Member — Mon, 11 Sep 2006 05:20:05 GMT

Hello Chitranjan,

Another way to restrict the access for AL11 is to make sure that no such user has value STOR(system trace) in authorization object S_ADMI_FCD. So even if the user has value s_tcode in AL11 unless an until he has STOR in S_ADMI_FCD he won't be able to execute it. The important thing is that S_ADMI_FCD is a critical authorization object and hence its access must really restricted for normal end users. By and large it is needed by system adminsitrators. The fact that normal endusers have easy access to S_ADMI_FCD should be an equal cause of concern. Most SOX audit companies would check for this authorization object.

regards.

Ruchit.