10-22-2008 5:36 PM
Hi All,
We want to remove a t-code from a display role where the
menu is not maintained.
The S_TCODE is given as *. (Full authorization)
how to go about the same. If we remove that from S_TCODE
we need add all other entries which is very difficult.
Please advise.
Thanks,
DVRK
10-22-2008 7:16 PM
Hi Rama,
I'm new on SDN but I have been working with SAP Security for 3 years.
I think the best option is to create ranges with wildcards excluding the transaction you need to exclude.
For example, if you will need to exclude SU01, you would do this...
1) Remove * from S_TCODE
2) Add A-SU00 as first range within S_TCODE
3) Add SU02-Z as second range within S_TCODE
4) Generate
With this change, this profile will include all transactions except SU01.
Hope this helps!
<removed_by_moderator>
Regards,
CB
Edited by: Julius Bussche on Oct 23, 2008 11:19 AM
10-22-2008 6:33 PM
10-22-2008 7:16 PM
Hi Rama,
I'm new on SDN but I have been working with SAP Security for 3 years.
I think the best option is to create ranges with wildcards excluding the transaction you need to exclude.
For example, if you will need to exclude SU01, you would do this...
1) Remove * from S_TCODE
2) Add A-SU00 as first range within S_TCODE
3) Add SU02-Z as second range within S_TCODE
4) Generate
With this change, this profile will include all transactions except SU01.
Hope this helps!
<removed_by_moderator>
Regards,
CB
Edited by: Julius Bussche on Oct 23, 2008 11:19 AM
10-23-2008 7:39 AM
> I think the best option is to create ranges with wildcards excluding the transaction you need to exclude.
Oh dear, I personally think this is about the worst option
Like Julius said, better rebuild the role, after redesigning it of course. And put all required transactions in it via the menu.
One very important thing about SAP security is that it is about allowing stuff, not about denying. So giving a user all rights and taking away a few is not the road to follow. A role with * in S_TCODE should never be called a display role as it is bound to have several security loopholes in it and the same goes for a role with tcode ranges. You'll be amazed how many programs can be started through more than one transaction.
Another example of risks involved: Everytime a new transaction is introduced into your system, either by your own developers or by SAP, it is automatically executable via your display role, whether it is a display transaction or not.....
Better have the users specify what they want to display and which transactions they need to do that and don't take "all" for an answer.
Jurjen
P.s.,
Carlos, asking for rewards is against forum rules.
Edited by: Jurjen Heeck on Oct 23, 2008 8:39 AM
10-23-2008 9:05 AM
Hi,
I agree with Jurjen. It is also very dangerous to use ranges with * in the names. It is also from a point of security not good to create roles with t_codes with ranges and *, an auditor should be no amused when he see this. You can make a display role with s_tcode *, but I garantee you that it will be a matter of time that you get violations because such role will be granted to users in combinations you do not want.
Bottom line, never use * or ranges in roles because you can expect trouble to be yours.
Have fun
Bye Jan van Roest
10-23-2008 10:36 AM
Hi rama,
To exclude the tcode, you can put the number range for eg : if u need to exclude MN01 then you can put the range from a* to mmm* and then from mo* to z. This way u can exclude all the tcodes starting with mn.
If you want to include some other tcodes starting with mn* then better to specify the tcodes in the s_tcode auth object if you are not maintaining the menus or if you are using menus then you can specify the tcodes in the menu tab of pfcg - role maintenance.
Hope this answers your query
Best,
Suchitra
10-23-2008 11:16 AM
Suchitra,
Did you bother to read the other answers before you added yours, or are you disagreeing with us?
Come on, put in a bit more effort... and thought...
Julius
10-23-2008 12:25 PM
Hi All,
We have these roles built very long back.
There is no other option except giving the ranges as said by some of us.
So, we have proceeded in giving the range of the t-codes
skipping the t-code which we want to exclude.
What I was thinking is that is there any to restrict the user
by manipulating the user buffer area where the authorizations are stored??
Anyhow, temporarily we resolved the issue. But if anybody
has better options do share.
Thanks a lot.
DVRK
10-23-2008 12:47 PM
> We have these roles built very long back.
So, they may need some rework.
> There is no other option except giving the ranges as said by some of us.
I hope time is your only issue here......
> So, we have proceeded in giving the range of the t-codes skipping the t-code which we want to exclude.
And what do you think the users with this role can't do anymore after this action? Just curious here.
> What I was thinking is that is there any to restrict the user by manipulating the user buffer area where the authorizations are stored??
You really do not want to go that way, unless you plan to leave this company very soon and you do not care about your reputation.
> Anyhow, temporarily we resolved the issue. But if anybody has better options do share.
The only good option is role design. You are already on a very slippery surface and there really is no way to cure that without throwing away this kind of roles and replacing them by properly designed ones.
If you search the forum you'll notice that no question about cutting corners got a satisfactory answer so far.........
Jurjen
07-12-2009 5:26 PM