2015 Mar 04 7:20 AM
Hi,
Recently we have created a role extracting from SAP_ALL profile. We have deactivated many Basis, and other Critical Tcodes for our Dev & QTY systems by identifying the authorization objects.
But- for SCC4 we want to know if there is any other way to restrict the access.
Since we created the role by extracting the profiles from SAP_ALL. S_TCODE has * value, and S_TABU_CLI: has "X" value.
- problem is we cant deactivate or limit the usage of S_TABU_CLI:X as we have many ZTcodes for direct maintenance, which needs this AO.
- At the same time, we are trying hard to restrict SCC4.
So, please suggest if there is any other alternative way to restrict Tcode SCC4, by not being able to run using the New Role.
Regds,
Satish.
2015 Mar 04 7:34 AM
You should segregate the task and then create the roles depends on the tasks. You can’t have all in one role then want to restrict by user.
The SCC4 and other basis related transactions should be only in basis role.
2015 Mar 04 8:35 AM
First of, let me say that I fully agree with . The building block approach is the way to go when designing roles.
But if we're being practical, you could use authorization groups for tables (T-code SE54) and assign a custom auth. group to table T000. Then use this group to authorize (or actually not authorize) with object S_TABU_DIS.
Again, this is just a practical tip. The whole "create a role from SAP_ALL" thing is a totally different subject altogether.
Good luck!
Dimitri.
2015 Mar 05 7:09 AM
Hi
You can lock SCC4 access in SM01.
Some security auditors recommend to lock SCC1, SCC4, SCC5
Regards
Przemek
2015 Mar 05 9:27 AM
Hi Satish,
You can use the interval concept in S_Tcode for entering the t-code values. I am providing you a simple example:
A* to SCB*
enter manually the values from scc1 to scc9 excluding scc4
then scd* to z*
Regards,
Deepak