2007 Jan 22 4:44 PM
Hi
Is there a way to create a profile which has access ONLY to DISPLAY programs in SE38( not to execute / create / display )
Version is R/3 4.5B
Can anyone help out?
Thanks in advance,
Manju
2007 Jan 23 12:42 PM
Hi,
You can create screen variants i.e we can define what options you can display on a particular screen. The transaction for doing this is SHD0 if I am not wrong. So I didnt get the exact meaning of a new client... But if your question is whether this changes can be made in the existing client, yes it can be done directly no need to create a new client.
But first try this in a Sandbox System and replicate them in the system where you want this changes to be effective.
2007 Jan 22 5:53 PM
Hi,
I think not... we had a similar thought and tried with having 03 values inS_DEVELOP but were unable to restrict other options in SE38.
we now use this Tcode sparingly in assignment....
Let me know if u have any other work around...
Br,
Sri
Award points for helpful answers
2007 Jan 23 3:30 AM
Hi Manju,
I thing u can do this by creating custom transaction code for those programs.
Regards,
Kiran
2007 Jan 23 5:15 AM
Hi Kiran,
If i am not wrong, does this Custom Tcode help us to View the Code ???
Generally Z Tcodes are created to Run these programms but not display it...
Correct me if i am wrong.
Br,
Sri
Award points for helpful answers
2007 Jan 23 5:37 AM
Hi,
Using the S_DEVELOP object you can control access to create or change but not execute. Probably you can go for a screen variant where you can hide the execute button so that he will not be able to see it and so will not be able to execute it.
Regards,
Manohar
2007 Jan 23 10:25 AM
Hi
If we hide the execute button, he can do it from the Menu rt !!?!!
And is it possible for customised T Code only to display without any other actions??
Or is it possible by creating a new client??
Thanks.
2007 Jan 23 12:42 PM
Hi,
You can create screen variants i.e we can define what options you can display on a particular screen. The transaction for doing this is SHD0 if I am not wrong. So I didnt get the exact meaning of a new client... But if your question is whether this changes can be made in the existing client, yes it can be done directly no need to create a new client.
But first try this in a Sandbox System and replicate them in the system where you want this changes to be effective.
2007 Jan 23 1:11 PM
Hi,
there is a pitfall: A user having S_DEVELOP / 03 to display a program, can also run it (unless it is protected by an authorization group / by S_PROGRAM) - regardless of the TCODEs he has.
[The same is true for the even more "dangerous" function modules - but there is security note 587410 available to fix this in systems below 6.40. A similar "patch" for reports is not available as far as I know.]
As a consequence there are two routes:
1) Don't give S_DEVELOP / 03 to anybody on production. Instead create a custom transaction that displays (and only displays !) reports without checking for S_DEVELOP / 03.
Access to this new transaction could be controlled via its TCODE or - if higher granularity is required - via its functionality (e.g. limiting it to Z* programs) or via an additional "Z_DEVELOP" authorization object.
2) Close the "run ABAP" access by fully deploying S_PROGRAM authorizations, i.e. by filling the authorization group of all reports. This seems to be quite a hassle. It has been discussed in this forum already ...
Hope this gives a hint.
With kind regards,
Ralf
2007 Jan 24 10:04 AM