2010 Jul 26 6:00 AM
Hello,
I tried searching on this forum, but could not find an answer to my question. I am an auditor and I have been assigned the following access at my company:
T-Code: SA38
S_PROGRAM: SUBMIT
Authorization: *
Based on my limited understanding, this access would give me access to execute programs. Is that correct? Is there any restrictions that would prevent me from running any programs? For example, if the program is assigned to custom t-code, would I also need access to that t-code to run the program?
I am trying to understand what this access would allow and whether there is any audit risk with having this access. Appreciate any information.
Thanks,
Dave
2010 Jul 26 9:56 PM
Dave
T-Code: SA38
S_PROGRAM: SUBMIT
Authorization: *
Based on my limited understanding, this access would give me access to execute programs. Is that correct?
Yes.
Is there any restrictions that would prevent me from running any programs?
You can restrict on auth group, instead of * (mention only those auth group, that user want to execute.
Note : There r many programs which don't have auth group. You can assign them using RSCSAUTH prg
For example, if the program is assigned to custom t-code, would I also need access to that t-code to run the program?
Not needed. it is good way to map all custom report to custom tcodes, so that we will have addtional check on S_Tcode .
I am trying to understand what this access would allow and whether there is any audit risk with having this access. Appreciate any information.
Most of the users dont need access to SE38 & SA38
Mostly in production system we dont give access to SE38 & SA38 also. On case to case issue we can assign firghter role. auditors happy.
Thanks,
Sri
2010 Jul 26 6:14 AM
SA38 is assigned to users who just want to execute the report and no source code access is reuired.
You can execute almost all the programs via this tsb until and unless there are specific checks/authorizations assigned to few objects .
2010 Jul 26 6:22 AM
2010 Jul 26 6:30 AM
HI,
Tcode SA38 is used to run programs or reports in SAP.
When SA38 added to a role menu the following objects gets added
S_PROGRAM and authorization groups.
the S_PROGRAM object contains the following values
SUBMIT - allows one to run a program.
BTCSUBMIT - allows the user to Schedule a background job for the execution of a program.
VARIANT - allows user to maintain variants for the program.
Regards,
K.Tharani.
2010 Jul 26 9:56 PM
Dave
T-Code: SA38
S_PROGRAM: SUBMIT
Authorization: *
Based on my limited understanding, this access would give me access to execute programs. Is that correct?
Yes.
Is there any restrictions that would prevent me from running any programs?
You can restrict on auth group, instead of * (mention only those auth group, that user want to execute.
Note : There r many programs which don't have auth group. You can assign them using RSCSAUTH prg
For example, if the program is assigned to custom t-code, would I also need access to that t-code to run the program?
Not needed. it is good way to map all custom report to custom tcodes, so that we will have addtional check on S_Tcode .
I am trying to understand what this access would allow and whether there is any audit risk with having this access. Appreciate any information.
Most of the users dont need access to SE38 & SA38
Mostly in production system we dont give access to SE38 & SA38 also. On case to case issue we can assign firghter role. auditors happy.
Thanks,
Sri
2010 Jul 27 12:25 AM
Hi,
> I am trying to understand what this access would allow and whether there is any audit risk with having this access.
To be able to run programs is a high risk. In some programs there are additional authorization checks. Therefore ability to run a program does not directly mean that you can really use it. But there are many programs without authorization checks. Usually, the custom reports lack authorization checks. As it was mentioned there is no reason to add access to SA38 to normal user in production environment. If some users think they need to run particular program and there is no transaction assigned to it then the best practice is to assign custom transaction code to this program and use give users access to this transaction.
Cheers
2010 Jul 28 5:52 PM