04-08-2010 12:06 PM
Dear Team,
I have given the authorazation of STMS one of our Sr.Abaper.
Now I want to give him that he can do only workbanch request not customizing request.
Now I have given the object S_TRANSPR & in this Request type DTRA .
But now he is able to do both transport (workbanch & customizing).
How i stop that he can do coustomizing request.
regards
Sunil
04-08-2010 2:03 PM
Hi,
Please give us more information on your question.
Do you want the user to import only workbench requests in STMS? or
Do you want to allow user to create only workbech requests?
For the first option above, I am not sure whether we have such a rescrition.
For the second option, the object you have provided and the options are right. please check if the user has other roles providing him/her the access.
Regards,
Gowrinadh
04-08-2010 12:31 PM
S_TRANSPR --> DTRA for creating workbench request. but in import queue it will check authorization for object S_CTS_ADMI mainly. Where there is no restriction for customizing or workbench.
You can try below. Don't provide display access even to user for S_TRANSPRT --> CUST
User might not be able to view customizing request. I guess, not sure.
Best of luck !!!
Arpan
04-08-2010 2:03 PM
Hi,
Please give us more information on your question.
Do you want the user to import only workbench requests in STMS? or
Do you want to allow user to create only workbech requests?
For the first option above, I am not sure whether we have such a rescrition.
For the second option, the object you have provided and the options are right. please check if the user has other roles providing him/her the access.
Regards,
Gowrinadh
04-08-2010 5:08 PM
hiii
I want he can do only transport workbench requests in STMS not customising.
In our company one is functional head and one is Abeper head.
So that i want make role . they can transport only his request not cross in QAS and PRD.
regards
04-08-2010 7:24 PM
To be honest, I think only your Basis team should only have access to import the transport requests in your QA or PRD systems and not somebody from functional team or any developer. This way you would maintain SOD conflict and keep Auditors at bay.
In Development system, functional member should have access to create and possibly release their customizing transport request and the developers should have access to create and possibly release their workbench request.
04-08-2010 9:18 PM
Hi,
As far as I know, there is no such restriction available through objects. I see your point in which you wanted to separate the possibility.
There is a solution using which, you can perform a periodic review to see that they are not importing other type of requests.
If not, you can modify the user exits to add an additional authorization check before they import the transport.
Also to do a transport import it can be limited to basis, however basis will not have enough knowledge on what the transport carrying and what impact it will have on QAS or PRD. It mainly depends on client requirements.
Regards,
Gowrinadh
04-19-2010 11:03 PM
Sunil,
I strongly recommend that only the BASIS or "Transport Admins" have access to transaction 'STMS' on the system. There are not detailed authorization checks like in SE09/SE10 for controlling Display/Create/Release via S_TRANSPRT object. Its my understanding that on S_CTS_ADMI will only be checked for moving transports.
This one might be better resolved by process/procedures rather than security.
Thanks,
Matt
04-20-2010 7:56 AM
You can also investiagate on available third party products which are recommended by SAP to see if the requested functionality is available.
http://ecohub.sdn.sap.com/irj/ecohub/solutions?query=transport
regards,
Gowrinadh