-
Products and Technology
By Category
-
Groups
Activity Groups
Industry Groups
Influence and Feedback Groups
Interest Groups
Location Groups
Customer Only Groups
- Developers
- Partners
- Events
- Help Center
- Topic Pages
-
Explore SAP
Products
Learning and Support
-
- Products and Technology
- Groups
- Developers
- Partners
- Events
- Help Center
- Topic Pages
-
Explore SAP
- Explore SAP
-
Products
- Products
- SAP Business Suite
- Artificial Intelligence
- Business applications
- Data and analytics
- Technology Platform
- Financial Management
- Spend Management
- Supply Chain Management
- Human Capital Management
- Customer Experience
- SAP Business Network
- View products A-Z
- View industries
- Try SAP
- Partners
- Services
- Learning and Support
- About
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Tcode in a role
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2009 Sep 19 12:48 AM
- SAP Managed Tags
- Security
Hello Gurus,
I'm trying to delete a tcode vk11 from a role.
To find which all role has this tcode, i used SUIM.
Under one role i found this tcode in s_tocde field, but when i assigned this role to a dummy user( without removing the tcode)
I was not able to execute tcode VK11. It says you are not authorized.
Should I still remove this tcode from a role or its ok to leave it there?
Thanks for your help!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2009 Sep 19 3:25 PM
- SAP Managed Tags
- Security
Hello
If you look into Jurjen Heeck suggestion,he is correct,adding Tcode manually under S_TCode does not associted Auth object to execute the transaction. this will terminate immideatly. this might be added manually because other tcode in that rolemight be calling this code internally ,so instead of adding that tcode in Menu it has been added underS_TCODE.
Please check with your role owners to test the role after removing VK11 to test dependency is there or not, if dependency is there you need to have it,if not you can remove it..
Thanks,
Prasant K Paichha
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2009 Sep 19 3:06 AM
- SAP Managed Tags
- Security
Is the profile generated for that role ?
If the tcode is in S_TCODE auth object then you should be able to execute it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2009 Sep 19 6:40 AM
- SAP Managed Tags
- Security
> If the tcode is in S_TCODE auth object then you should be able to execute it.
Some transactions (or rather programs) fail immediately after starting because other required authorizations are missing.
So technically you may be able to start it but it can still appear as if it didn't start at all because the initial screen failed to load. This is when the message becomes confusing.
SU53 and/or ST01 may help in your research.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2009 Sep 19 6:58 AM
- SAP Managed Tags
- Security
Hint : Check the SE93 for that transaction code..... there is an option to enter authorization object (Table TSTCA), when a transaction is executed, after S_TCODE check, second check is against that entry (if there is any) and then whatever "AUTHORITY CHECKS" are there in the program...
Cheers !!
Zaheer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2009 Sep 19 4:07 PM
- SAP Managed Tags
- Security
>
> > If the tcode is in S_TCODE auth object then you should be able to execute it.
> Some transactions (or rather programs) fail immediately after starting because other required authorizations are missing.
>
> So technically you may be able to start it but it can still appear as if it didn't start at all because the initial screen failed to load. This is when the message becomes confusing.
>
> SU53 and/or ST01 may help in your research.
Thanks Jurjen ...now I remember that, we had this problem with a t-code when we were installing Informatica...thanks again.
but for the OP question, I tried with manually adding VK11 and it works..atleast the first screen load..so for his issue my guess is profile is not generated.......but then I may just be speculating.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2009 Sep 19 3:25 PM
- SAP Managed Tags
- Security
Hello
If you look into Jurjen Heeck suggestion,he is correct,adding Tcode manually under S_TCode does not associted Auth object to execute the transaction. this will terminate immideatly. this might be added manually because other tcode in that rolemight be calling this code internally ,so instead of adding that tcode in Menu it has been added underS_TCODE.
Please check with your role owners to test the role after removing VK11 to test dependency is there or not, if dependency is there you need to have it,if not you can remove it..
Thanks,
Prasant K Paichha
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2009 Sep 21 2:20 AM
- SAP Managed Tags
- Security
Hello Gurus,
Thank you all for your replies.
I'll search in tcode SE93 and will also research in ST01 and will post my findings here.
Thanks for the help!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2009 Sep 21 9:02 PM
- SAP Managed Tags
- Security
Hello Gurus,
I followed your advice and found few important things to look into.
But I still have few question:
1) If the tcode is not mentioned in the S_Tcode but the authorization object( for that tcode) has a value to run the tcode, will user be able to execute that tcode?
2) In tcode SE93 I found only one authorization object for a tcode but if I look in SU24 there are many objects that are marked as yes to check if a tcode is started? (this is little confusing for me)
3) Is removing tcode from S_tcode enough to restrict a user from using it?
Again Thanks for your help !!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2009 Sep 21 10:48 PM
- SAP Managed Tags
- Security
Hi
1. It depends. If the S_TCODE check is skipped (e.g. navigating from another transaction) then you may be able to access the functionality. Most of the time the user will not be able to access the functionality provided by that specific tx.
2. SE93 is the transaction setup, the S_TCODE check and the auth object check in SE93 is hard coded. The object checks you can see in SU24 usually refer to checks which are coded in the ABAP program behind the transaction.
3. See answer to 1.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2009 Sep 21 11:13 PM
- SAP Managed Tags
- Security
Thanks Alex,
So, is it a good idea to remove the tcode entry from s_tcode when you want to remove the tcode from a role?
Or should perform some other check as well.
Edited by: Learning SAP on Sep 22, 2009 12:13 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2009 Sep 22 6:56 PM
Bluesky