Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to restrict SP01 transaction?

Former Member

‎10-28-2008 10:25 AM

0 Kudos

Hi

Is there a way to give authorization to user A to see user B's spool requests in addition to his, and not any one else's?

I have a user who needs to monitor spool request of another specific background communication-data user (which is an RFC account), through SP01.

We know that we should not give him authorization S_ADMI_FCD with value SP0R (Use of SP01, all users). With such authorization there are risks as user would be able to view other sensitive data such as salary information in certain spool requests.

Thanks

Reza

3 REPLIES 3

jurjen_heeck
Active Contributor

‎10-28-2008 11:07 AM

0 Kudos

The authorization for spoolfiles is dependent on the information in the 'authorization' field in the 'spool attributes' shown when you doubleclick on a spoolfile.

The help text states:

" Value for authorization check The authorization value is compared against the authorizations of the user who executes operations on this request. If the authorization is not sufficient, the operation cannot be executed. Authorization values are generally set by the program that generated the data in the spool request. If this field contains the initial value, the spool system automatically enters the user name as the authorization value. If this field is empty, no authorization check is executed. "

This authorization is taken care of by the object S_SPO_ACT as far as I know. A forum search on this object should get you going.

Jurjen

Former Member

‎10-28-2008 10:52 PM

0 Kudos

S_SPO_ACT authorisation object has field DISP which allows users to see others spool request, However you can not restrict user to see one specific user's spool request and not the another one. This field allows to see all users spool content.

Former Member

‎10-29-2008 6:29 AM

0 Kudos

Thanks Jurgen & Kinjar

I just came across Note 158487; followed it and it seems to be OK.

I granted user A authorization for the S_SPO_ACT object. For "Authorization field for spool" field (SPOACTION) values "BASE" and "DISP", and for "Value for authorization check" value "SAP_B" were given. (SAP_B is SAP account for user B).

S_ADMI_FCD still has SP0R.

User A was able to see contents of spool request came from SAP_B. He was not able to see other users' spool requests though.

Cheers

Reza

Edited by: Reza Ahoui on Oct 29, 2008 10:32 AM