Solved: Some of users don't have any menu, but he has a gr...

Former Member · ‎12-22-2008

hi

Some of users don't have any menu, but user "user1" has a grest privilege, i must block him to execute the TCD "spro,su01,su22,fs00", How can i do it?

How can i operate it in SAP ecc6?

Coud you teach me step by step?

I found "Authorization object S_TCODE (transaction start) contains the authorization field TCD".

How can i delete the record in the database to block the user "user1" to execute the "spro,su01,su22,fs00"? Which tables is the authorization data stored?

Thanks !

Former Member · ‎12-23-2008

look at this picture:

http://picasaweb.google.com/jean.luc.hu/Sap_error#5282913258230505586

If nobody can resolve it, i think i can delete the record in the table.

Look at the picture,

Could you tell me which db tables the "SE11,SPRO" in the s_tcode object stored in?

Former Member · ‎12-22-2008

Hai,

If you want to block the users with extra authorizations other than their normal work area you can restrict their access to 'DISPLAY ONLY' to those Tcodes by identifying the authorization objects of the tcodes for which the user does not need any other activity other than DISPLAY ONLY.

You can do this from Tcode PFCG.

In your case the user in concern must be having SAP_ALL and SAP_NEW profile, that is the cause that you are not able to see the menu for those users. In this case you can create custom roles for those users according to their work area for example MM,PP or Finance...

You can effectively do this from SAP level and nothing needs to be done from DB level.

Please check the below links which will help in understanding the Architecture of Authorizations in SAP.

http://help.sap.com/saphelp_nw04/helpdata/EN/52/671285439b11d1896f0000e8322d00/frameset.htm

http://help.sap.com/saphelp_banking463/helpdata/en/5c/deaa74d3d411d3970a0000e82de14a/frameset.htm

Regards,

Yoganand.V

Former Member · ‎12-22-2008

=>

You need to get yourself on a training course. You will save yourself (and us) a lot of trouble...

Or make extensive use of the search, read help.sap.com and get hold of an IDES system or sandbox to practice on.

Please do that.

Cheers,

Julius

Former Member · ‎12-23-2008

Just now i would like to edit the authorization object S_TCODE in the PFCG , but i found that i can view it, i can't edit it.

I think if i can edit it, the i can block the user "user1" to execute the "spro,su01,su22,fs00...".

How can i edit the authorization object S_TCODE in the PFCG?

Which tables is the "authorization object S_TCODE" stored in?

Thanks!

Former Member · ‎12-23-2008

Hello Jean,

The object S_TCODE is not editable unless you manually enter it in the role.

It would not be worthwhile discussing this topic unless you get your basics right through some reading or training. You can also help yourself with searching the forum on similar discussion on SAP_ALL without SPRO etc. topics.

Former Member · ‎12-23-2008

hi

hello check user corresponding roles,profiles of that particular user.if user as nomenus means someone restricted all menus in the table USERS_SSM.check this table in SM 30.restrict according to their menus.i think it will user for u

by

vasu

Former Member · ‎12-23-2008

In fact , Nobody hide the user's menu.

Former Member · ‎12-23-2008

look at this picture:

http://picasaweb.google.com/jean.luc.hu/Sap_error#5282913258230505586

If nobody can resolve it, i think i can delete the record in the table.

Look at the picture,

Could you tell me which db tables the "SE11,SPRO" in the s_tcode object stored in?

Former Member · ‎12-23-2008

Do NOT delete the record at DB level.

Delete them from the role menu. I seriously recommend that you contact the person in your company responsible for SAP Security. If that is you then speak to your Basis team, they usually have a bit of understanding of role maintainence.

Former Member · ‎12-23-2008

I know it.

But up to now, nobody can resolve it.

I'm very sad.

Thanks

Former Member · ‎12-24-2008

I won't edit the record, but i would like you can tell me which tables the s_tcode is stored.

Thanks.

Former Member · ‎12-24-2008

They teach this in the course ADM940 as well.

Former Member · ‎12-25-2008

Why do you always ask me to study "course ..."?

I don't want to waste our money to study it.

Can't you teach me at once?

I don't want to do anything, i only would like to resolve this problem. Only to resolve problem.

I think maybe you are poor, and you don't know how to resolve this problem.

Do you know how to resolve it? Can you teach me how to resolve it now?

Thanks!

Edited by: Jean Hawk on Dec 25, 2008 4:51 AM

jurjen_heeck · ‎12-25-2008

> Can you teach me how to resolve it now?

No. Go to your nearest car dealership and ask the mechanic to teach you how to service your car yourself, for free. See what happens.

Former Member · ‎12-25-2008

These forums are for helping each other and learning things in the process, but the threads which discuss security aspects and considerations are of better quality than the "how to..."-type questions.

But "How to" create a role without a menu plays second fiddle to "Why does" a role without a menu still work.

Based on your other related questions, I am of the opinion that you (and your SAP system) will be better off doing some training to get the fundamentals right first. That is my opinion, but you are free to ignore it if you wish to.

> I think maybe you are poor, and you don't know how to resolve this problem.

Yeah, I live in a shoe box in the middle of the road. I connect to the internet via telepathy.

Good luck,

Julius

Former Member · ‎12-25-2008

I don't want to offend anybody.

I only would like somebody can help me to resolve this question.

Thanks!

Former Member · ‎12-25-2008

Have you considered / checked either of the two possibilities:

- You are not authorized to change the transaction code (object S_USER_TCD) and can only bring it in via an update of the SU22 records - I assume here that you have not performed the installation instructions correctly (SU25) and are therefore changing the SAP proposals and not your own implementation (SU24).

- You are trying to change this in a client which is of type "P" and the client settings are "closed".

If so, then these could possibly even suggest that this is correct system behaviour and not a bug. It would also suggest that someone there knows what they are doing to some extent, and should be the ones to do maintenance on this role which you are wanting to have in "change mode".

It would even make sense, so I am a bit ashamed that I did not spot it right away... poor me

Can you check those (the system client settings and your own authorization)?

Then we can proceed further in a delicate way without hurting your feelings either.

Cheers,

Julius

Former Member · ‎12-26-2008

Thanks for your help!

I've checked them.

My account has the "sap_all" profile, and nobody altered the "su22,su25,su24".

I guess the basis manager used this way: "In the PFCG, Goto menu Edit-> Add authorizations -> From profile and add the profile SAP_ALL" to assign somebody privilege two month ago.

Now i 'd like to revoke some important system privilege from the role "role-sys-9".

I'd like only rovoke the "SPRO,STMS,TU02,RZ10,RZ11,SM63,SNRO,SM56,SM51,SM04,AL08,SMLG" from the role "role-sys-9". In fact , this role almost doesn't have any menu.

But i don't know how to revoke their "SPRO,STMS,TU02,RZ10,RZ11,SM63,SNRO,SM56,SM51,SM04,AL08,SMLG" privilege.

Could you teach me how to operate the SAP to finish it?

Wait for your help!

Thanks!

jurjen_heeck · ‎12-26-2008

>Just now i would like to edit the authorization object S_TCODE in the PFCG , but i found that i can view it, i can't edit it.

Just out of curiosity I tried making a role based on SAP_ALL and the S_TCODE object was perfectly editable. So no problem whatsoever. I could not repeat your problem. (SAP NetWeaver 2004s)

You may have to build a new role instead of trying to edit the existing one.

Now, I have to start by telling you, as has been told in this forum numerous times, that SAP security is about allowing, not denying. But hey, you think education is a waste of money.........

> Could you teach me how to operate the SAP to finish it?

In my SAP_ALL based role the S_TCODE object is filled with *.

In order to revoke for instance transaction SPRO I would take out the star and replace it by two ranges: /* - SPRN and SPRP - Z*. This leaves out SPRO but does not protect your customizing in any way.

For your original problem you'll need multiple ranges. Check a proper ascii table to see the order of special characters, numbers and letters.

All this is done in transaction PFCG, in the authorzations tab, provided you are able to edit the S_TCODE values.

This is as step by step as you're going to get it from me.

Disclaimer:

This is a literal answer to the question "how to operate the SAP" but actually is very poor security. It is not really securing anything and does not make your system any better/safer then when everybody had SAP_ALL. You should create a proper role concept based on what people need to do, not what they shouldn't do. Roles based on SAP_ALL are only of use in the very first project stages.

Former Member · ‎12-26-2008

Ok, i see ,

before i insert template profile:

http://picasaweb.google.com/jean.luc.hu/Sap_error#5284068795025448210

after i insert:

http://picasaweb.google.com/jean.luc.hu/Sap_error#5284068787582798034

Thanks very much!

Edited by: Jean Hawk on Dec 26, 2008 3:36 PM

former_member184657 · ‎12-25-2008

if you cant help yourself by putting in a little effort, how do you expect others to help you for no good reason??

pk

Some of users don't have any menu, but he has a grest privilege, i must let