Solved: SCC4 exclude from All Profile

Former Member · ‎09-26-2008

Dear Expert ,

I want to give authorazatio to one user both profile i.e SAP_ALL and SAP_NEW except scc4.

How I restrict scc4 to that perticular user.

Please help me

Manu

jurjen_heeck · ‎09-26-2008

Use the forum search functionality.

This is a very frequently asked question, always answered with: "you can not".

jurjen_heeck · ‎09-26-2008

Use the forum search functionality.

This is a very frequently asked question, always answered with: "you can not".

Former Member · ‎09-26-2008

Thanks

Its mean not possible . We can exclude that user from scc4,

manu

Former Member · ‎09-26-2008

Hi

This are stantard SAP PROFILES, you can edit this.

Thanks

Raju

jurjen_heeck · ‎09-26-2008

> you can edit this.

There are quite a lot of undesirable things in SAP that are perfectly possible in a technical sense. I think we -as a group of professionals- should be careful in advising those to anyone.

Editing SAP_ALL is a big nono, especially because it should be regenerated after every upgrade or each addition of a custom authorization object. Manual changes to SAP_ALL (should) have a very limited lifespan.

The very moment SAP_ALL doesn't suit your needs anymore it is time for an authorization concept.

Former Member · ‎09-26-2008

Dear Manju,

you can create a role by adopting a sap_all profile and then deactivating the customising object calling scc4.

Hope this could help you.

Regards,

Amit

former_member248712 · ‎09-26-2008

What wrong did SCC4 do with SAP_ALL.

AB

Former Member · ‎09-26-2008

>


> What wrong did SCC4 do with SAP_ALL. 
> 
> AB

Exactly. That is what you give them, so that is what you get.

Alone the ability to debug, is sufficient to change program variables, and that is sufficient to create your own programs, regardless of SCC4.

Cheers,

Julius

Former Member · ‎09-27-2008

Thanks for your repply, But I want he can,t open my Production system.

Thanks

manu

Former Member · ‎09-27-2008

Hi Manu,

Think pracically you allowed a user each and every access in your production system by giving SAP_ALL and SAP_NEW then whats wrong in giving scc4 access.

If you want to restrict then create a roles with all access other that scc4 and assign to the user.Think that if you will lock the transaction in SM01 then the user can unlock the transaction and can use scc4.So there is no option other than creating role.

Regards

Ashok

Edited by: Ashok Dalai on Sep 27, 2008 7:14 AM

Former Member · ‎09-27-2008

Hello Ashok,

If SCC4 is locked even Manu also cant use this TC.

We have one more problem here. The user is also getting SM01 which allows him to unlock SCC4.

Regards

Maheedhar

jurjen_heeck · ‎09-27-2008

> We have one more problem here. The user is also getting SM01 which allows him to unlock SCC4.

The able user with sufficient rights doesn't have to bother about transactions.

SAP_ALL is only to be given out to trustworthy users. Tell them not to open the system.

Security is there for people you do not trust. Build a role with the rights he/she needs and nothing else.

Trying to take something out of SAP_ALL is bound to fail. It's like trying to lock one cupboard in an office building, switching off the alarms, giving someone all the keys and leave for the weekend. What do you expect........

Maybe we should ad a new sticky thread with the title: "There are no shortcuts in SAP security!"

Former Member · ‎09-27-2008

I don't think it is only a matter of trustworthiness.

It is more a case of only having access to that which you are adequately trained to use, or at least considering that even if trusted - there are some steps which people should be prevented from doing completely because it is simply not forseen for it do be done.

A nice example of this is that you would not want people whom you trust to (even accidentally) delete the whole database.

Cheers,

Julius

Former Member · ‎09-28-2008

>


> I don't think it is only a matter of trustworthiness.
> 
> It is more a case of only having access to that which you are adequately trained to use, or at least considering that even if trusted - there are some steps which people should be prevented from doing completely because it is simply not forseen for it do be done. 
> 
> A nice example of this is that you would not want people whom you trust to (even accidentally) delete the whole database.
> 
> Cheers,
> Julius

But just think of the money you could save with a "trust based" system.......

You could afford to run backups every night

Former Member · ‎09-28-2008

Though its a mamoth's task, the way around is create a role zsap_all.

Go to Authorization tab.

Go to Edit--~~->Insert authorizations~~-->From Profile.

Search for Object s_tcode.

The value will be *.

Remove this and insert all the tcodes manually except scc4.

Again a point to note this wont be helpful as the user with sap_all and sap_new can add scc4 to his own profile.

Regards

Former Member · ‎09-28-2008

2 questions for you Manas:

1) Have you read and thought about the other answers to the thread so far?

2) You wrote:

> Remove this and insert all the tcodes manually except scc4.

Have you actually tried this, or is it just a guess?

What happens in PFCG when you generate a profile for a role with more than 10000 tcodes in it?

Cheers,

Julius

Former Member · ‎09-30-2008

I agree to you Julius.

At the begining I therefore stated it as a Herculian task.

But if it can be done and if at all it has to be ,am sure it will work.

Most prob you are concerned about sap_all, note i have suggested to copy the sap_all profile to zsap_all and then edit it.

Regards

Former Member · ‎09-30-2008

> But if it can be done and if at all it has to be ,am sure it will work.

Okay, and how long would it take to enter all tcodes manually except SCC4 and would PFCG be able to generate the profiles for such a Herculian list?

Besides there is still SM30 as well, and OBVU, and some menu paths in STMS, and a whole fleet of function modules in the development workbench.

Cheers,

Julius

Former Member · ‎10-01-2008

Thanks Julius

Regards

Former Member · ‎10-02-2008

Well, as thumb rule, no user(even trusted or whatever) needs SAP ALL access on any system (including dev)

If you want to have a role with full access, then its always better to revoke critical basis access like SC,SE,SM,ST transactions.

user with atble change access access with value actvity 02 and Authorization group= SS (DIBERCLS field) in S_TABU_DIS and value X in S_TABU_CLI can open the client as well!

Be very careful with SS calss of table.They are all Basis critical tables like T000!

Some of the objects you have to ensure utmost restriction to non-basis fellas on prd environments are

S_QUERY(only actvt 23 needed)

S_DEVELOP(careful wit DEBUG)

S_ADMI_FCD

S_CTS_ADMI(with avlue IMP, the user can import tps in production!)

S_TABU_DIS

and last but not the least, check for you roles if you can ecute SCC4,SCC5 and other transactions.

You never know what a user could do!

Rgds

Deepa