Community
Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Restrict Authorization

former_member759680
Contributor

‎2009 Feb 12 5:58 AM

0 Likes
880

Hello,

I have taken all precautions to restrict authorizations to users in a system, still some of them are able to execute SCC4. I think there is some report/function using which you can execute transactions which you do not have access to.

Could some one please tell me the name of that report and how I can restrict it.

Thanks.

7 REPLIES 7
Read only

Former Member

‎2009 Feb 12 6:14 AM

0 Likes
782

Hi Gautam,

Please check whether user is having access to display all tcodes, if so you need to take the tcode from s_tcode object from that role.

Check in SUIM tcode >>> transactions executable for user and check whether this tcodes exits or not.

Read only

Former Member

‎2009 Feb 12 6:21 AM

0 Likes
782

Make sure param rec/client is set to ALL, and check tocde SCU3 for changes to table T000.

ALL = all clients... the changes can be made from other clients...

Cheers,

Julius

Read only

former_member759680
Contributor
In response to Former Member

‎2009 Feb 12 6:26 AM

0 Likes
782

Julius,

The thing is he is able to access a lot of other restricted Tcodes, not just SCC4. I just wanted to know if there are any loopholes that we, as security admins should do to block these loopholes.

Read only

Former Member
In response to Former Member

‎2009 Feb 12 8:45 AM

0 Likes
782

Hello,

Check whether users has any super role access? If so, then he will be able to access all the T-codes.

You can create a role and add only those T-codes he/she needs acces.

Regards,

Geetha

Read only

jurjen_heeck
Active Contributor
In response to Former Member

‎2009 Feb 12 8:56 AM

0 Likes
782

> Check whether users has any super role access? If so, then he will be able to access all the T-codes.

Super role? What should that be?

I'd suggest to do a complete user compare for the user, and afterwards have a look in SU01 to see which profiles are actually linked to the user. Make sure those are only the profiles belonging to your roles.

Read only

Former Member
In response to Former Member

‎2009 Feb 12 8:42 PM

0 Likes
782

> 

> Julius,
> 
> The thing is he is able to access a lot of other restricted Tcodes, not just SCC4. I just wanted to know if there are any loopholes that we, as security admins should do to block these loopholes.

Which release are you on?

Assuming it is 6.40 or higher, go to tcode SUIM (or report RSUSR002) "Users by Complex selection criteria" and run it for Object 1 = 'S_DEVELOP' Activity = '16' ObjectType = 'FUGR'.

Do any of the users turn up?

Also, where are you getting this information from that they are (successfully) starting tcode SCC4? Are they also using it (making changes)?

Cheers,

Julius

Read only

Former Member

‎2009 Feb 13 12:23 AM

0 Likes
782

OK - I'll join this thread.

If you know it's not a SAP_ALL profile - do the following to check the offending role/roles:

1. Go to SU01->Roles and copy all the roles assigned to the user.

2. Go to SE16->AGR_1251->ROLES-> paste all the roles, OBJECT-> enter S_TCODE, VALUE-> enter SCC4 then Execute.

This should display all the roles that gives access to SSC4. You can even do ranges on the value like S* to T*. You can also run PFCG and click on transaction and enter SCC4, roles having that tcode will be displayed.

Good Luck!