Roles with Change Access to Table Maintenance

Former Member · ‎12-17-2008

Hello,

We have many roles that have S_TABU_DIS-Table Maintenance, 02-Change access, *-Auth. Group. Many of these roles have very few transactions and are not Basis\Development related. My questions are what transactions do I need to make sure these roles don't have to so they can't change data in Tables? I know SM30 and SE16, any others? Also second question, should I be worried if these roles do not have the access to start these transactions but do have the access given in the S_TABU_DIS object?

Thank You,

Alex

Private_Member_119218 · ‎12-17-2008

1. Asides from SM30 and SE16 you already mentioned, 'SE16N' and 'N' come to mind. Maybe there are others.

2. Yes. You should be worried. Users could get authorizations for any of the aforementioned transactions from another role and get authorization to change all the tables from this role. Bad Stuff.

I suggest that you figure out why exactly these roles includes S_TABU_DIS object with change authorizations for all table groups. Once you have that figured out - you can take appropriate actions. In my mind, it would be very hard to justify having S_TABU_DIS with 02/* in any role.

Former Member · ‎12-17-2008

Just to add to the above.... the S_Tabu_Dis also contains HR tables and could allow users with SE16 to view things such as EEO complaint tables. We had a similar problem and this can be costly if sensitive data is compromised.

Cheers

James

Former Member · ‎12-18-2008

Excellent, I thank you both for the very helpful answers.