2013 Apr 17 5:37 AM
Hi There,
I have seen the following values for the field TCD of the authorization object S_TCODE (Transaction Code Check at Transaction Start):
' '
'FDT_SHOW_DB'
Does anyone know what those values mean when used in S_TCODE ?
For the first value (single quote + space + single quote), it seems that it does not allow you to start any transaction.
For the second value (FDT_SHOW_DB inside single quotation marks), it seems that it allows you to start transaction FDT_SHOW_DB. So the question here is that why we put the single quotation marks around the transaction name?
Could someone please explain ?
Regards,
Goodyear
2013 Apr 17 9:49 PM
I agree with Julius, it looks like someone has entered them incorrectly (manually or programatically)
How old are the roles?
2013 Apr 17 9:26 PM
This must be coming from your own code, so from the trave you van navigate to the source and from there find the developer...
Cheers,
Julius
2013 Apr 17 9:49 PM
I agree with Julius, it looks like someone has entered them incorrectly (manually or programatically)
How old are the roles?
2013 Apr 17 11:06 PM
Hi Julius, Alex,
I am pretty new to the SAP authorization topics so please bear with me if I am asking something that is obvious to you guys.
Are you guys saying that those values should not be there ?
I understand that the value ' ' in authorization values are for the system to check against DUMMY in the ABAP statement AUTHORITY-CHECK. Since authorization object S_TCODE is for the system to check against when user starts a transaction, I really don't see the how/why ' ' can be used here.
I don't know where the ' ' came from in my roles.
The value 'FDT_SHOW_DB' seems to be the default value defined in tables USOBT and USOBT_C. When I created a role and added the transaction FDT_SHOW_DB to my role, the role generator automatically add the authorization obect S_TCODE to my role and set the values FDT_SHOW_DB and 'FDT_SHOW_DB' to the field TCD.
Regards,
2013 Apr 18 12:10 PM
If they are in the role as standard status auths, then they came from Su24. Check the where-used-list.
In SU24 for the transaction proposing it, you can compare to SAP values (SU22). If they are from SAP, then you should report it to SAP and not to SDN... 🙂
Cheers,
Julius
2013 Apr 19 11:47 AM
in addition to Julius...:
sigh....
the wrong proposal for FDT_SHOW_DB is coming from SAP...
This has definitely to be reported to SAP (component = BC-SRV-BR )
Regarding the empty (' ') value: if it is not inserted from SU24 like the FDT_SHOW_DB -value, please check KBA 1524185. (...if you are talking about an S_TCODE authorization with status 'Standard' ).
to check from which proposals values are inserted into pfcg you can use the where-used function in PFCG - its behind the 'mountain with sun' button next to the auth-name (first set your settings through the menu-options to display all the buttons...Menu-Utilities-Settings->check all fields)
b.rgds, Bernhard
2013 Apr 19 11:52 AM
Regarding ' ', a possibility is also that the S_TCODE is standard but yellow. This happens to SPRO_ADMIN roles and upload / download roles between different component type systems.
To solve it you have to find the non-existing tcode(s) in the menu and delete them.
Then it will turn green.
Cheers,
Julius
2013 Apr 22 3:10 AM
Hi Bernhard, Julius,
Thank you very much for your replies. They are really helpful and I appreciate your help very much.
So to conclude:
1) The values ' ' and 'FDT_SHOW_DB' should not be in the values for the field TCD of authorization object S_TCODE.
2) The reason that they sometimes do appear could be due to SU24 proposal, our own code or SAP note 1524185.
Regards,
Goodyear