Solved: removal of t-code

Former Member · ‎10-22-2008

Hi All,

We want to remove a t-code from a display role where the

menu is not maintained.

The S_TCODE is given as *. (Full authorization)

how to go about the same. If we remove that from S_TCODE

we need add all other entries which is very difficult.

Please advise.

Thanks,

DVRK

Former Member · ‎10-22-2008

Hi Rama,

I'm new on SDN but I have been working with SAP Security for 3 years.

I think the best option is to create ranges with wildcards excluding the transaction you need to exclude.

For example, if you will need to exclude SU01, you would do this...

1) Remove * from S_TCODE

2) Add A-SU00 as first range within S_TCODE

3) Add SU02-Z as second range within S_TCODE

4) Generate

With this change, this profile will include all transactions except SU01.

Hope this helps!

<removed_by_moderator>

Regards,

CB

Edited by: Julius Bussche on Oct 23, 2008 11:19 AM

Former Member · ‎10-22-2008

Best way is to rebuilt the whole role...

Former Member · ‎10-22-2008

Hi Rama,

I'm new on SDN but I have been working with SAP Security for 3 years.

I think the best option is to create ranges with wildcards excluding the transaction you need to exclude.

For example, if you will need to exclude SU01, you would do this...

1) Remove * from S_TCODE

2) Add A-SU00 as first range within S_TCODE

3) Add SU02-Z as second range within S_TCODE

4) Generate

With this change, this profile will include all transactions except SU01.

Hope this helps!

<removed_by_moderator>

Regards,

CB

Edited by: Julius Bussche on Oct 23, 2008 11:19 AM

jurjen_heeck · ‎10-23-2008

> I think the best option is to create ranges with wildcards excluding the transaction you need to exclude.

Oh dear, I personally think this is about the worst option

Like Julius said, better rebuild the role, after redesigning it of course. And put all required transactions in it via the menu.

One very important thing about SAP security is that it is about allowing stuff, not about denying. So giving a user all rights and taking away a few is not the road to follow. A role with * in S_TCODE should never be called a display role as it is bound to have several security loopholes in it and the same goes for a role with tcode ranges. You'll be amazed how many programs can be started through more than one transaction.

Another example of risks involved: Everytime a new transaction is introduced into your system, either by your own developers or by SAP, it is automatically executable via your display role, whether it is a display transaction or not.....

Better have the users specify what they want to display and which transactions they need to do that and don't take "all" for an answer.

Jurjen

P.s.,

Carlos, asking for rewards is against forum rules.

Edited by: Jurjen Heeck on Oct 23, 2008 8:39 AM

Former Member · ‎10-23-2008

Hi,

I agree with Jurjen. It is also very dangerous to use ranges with * in the names. It is also from a point of security not good to create roles with t_codes with ranges and *, an auditor should be no amused when he see this. You can make a display role with s_tcode *, but I garantee you that it will be a matter of time that you get violations because such role will be granted to users in combinations you do not want.

Bottom line, never use * or ranges in roles because you can expect trouble to be yours.

Have fun

Bye Jan van Roest

Former Member · ‎10-23-2008

Hi rama,

To exclude the tcode, you can put the number range for eg : if u need to exclude MN01 then you can put the range from a* to mmm* and then from mo* to z. This way u can exclude all the tcodes starting with mn.

If you want to include some other tcodes starting with mn* then better to specify the tcodes in the s_tcode auth object if you are not maintaining the menus or if you are using menus then you can specify the tcodes in the menu tab of pfcg - role maintenance.

Hope this answers your query

Best,

Suchitra

Former Member · ‎10-23-2008

Suchitra,

Did you bother to read the other answers before you added yours, or are you disagreeing with us?

Come on, put in a bit more effort... and thought...

Julius

Former Member · ‎10-23-2008

Hi All,

We have these roles built very long back.

There is no other option except giving the ranges as said by some of us.

So, we have proceeded in giving the range of the t-codes

skipping the t-code which we want to exclude.

What I was thinking is that is there any to restrict the user

by manipulating the user buffer area where the authorizations are stored??

Anyhow, temporarily we resolved the issue. But if anybody

has better options do share.

Thanks a lot.

DVRK

jurjen_heeck · ‎10-23-2008

> We have these roles built very long back.

So, they may need some rework.

> There is no other option except giving the ranges as said by some of us.

I hope time is your only issue here......

> So, we have proceeded in giving the range of the t-codes skipping the t-code which we want to exclude.

And what do you think the users with this role can't do anymore after this action? Just curious here.

> What I was thinking is that is there any to restrict the user by manipulating the user buffer area where the authorizations are stored??

You really do not want to go that way, unless you plan to leave this company very soon and you do not care about your reputation.

> Anyhow, temporarily we resolved the issue. But if anybody has better options do share.

The only good option is role design. You are already on a very slippery surface and there really is no way to cure that without throwing away this kind of roles and replacing them by properly designed ones.

If you search the forum you'll notice that no question about cutting corners got a satisfactory answer so far.........

Jurjen

Former Member · ‎07-12-2009

Thanks to all.

We have rebuilt the required roles.

DVRK