Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

No display authorization

Former Member

‎01-08-2009 10:06 AM

0 Kudos

Hello Experts,

I have created an User and given him SAP_ALL authorizations. Now the requirement is, that user should have all the authorizations like SAP_ALL expect he should not be able to view the source code of the program in SA38. He shoule be able to execute it, but not able to display the source code. Any role that i can create with this criteria. Please i need you suggestions.

Thanks a lot

Regards

Vanitha

Edited by: Vanitha badampudi on Jan 8, 2009 11:07 AM

Edited by: Vanitha badampudi on Jan 8, 2009 11:08 AM

13 REPLIES 13

Private_Member_119218
Active Participant

‎01-08-2009 10:22 AM

0 Kudos

I am certain that you can not achieve the described restriction while the users has SAP_ALL profile assigned to him/her.

That's the entire point of SAP_ALL (and its cousin SAP_NEW).

You can not create a role to restrict, you can only create a role to allow - SAP security uses whitelisting, not blacklisting.

Former Member
In response to Private_Member_119218

‎01-08-2009 10:32 AM

0 Kudos

two possible options:

1 create your own SAP_ALL (copy profile SAP_ALL into a role into the profile generator and limit that) take out all change/create in S_Program.

2 create a role with ONLY SA38 and be sure not to give other activities than display in any object. Secodnly create role for all other access this user needs and be sure not to give wider access in any object than display as far as the objects are the same as in teh SA38 role,

Second option is better , besides one should NEVER| give SAP_ALL in ANY SAP system!

Former Member

‎01-08-2009 10:32 AM

0 Kudos

Hi Vanitha,

I think ,you can not restrict only display authorization allowing user execute activity. While executing any program in SE38, it also checkes for 03 actvt.

Regards,

Sneha

Former Member

‎01-08-2009 10:34 AM

0 Kudos

Thankyou for that answer.

My question is, can i create a role which has all the authorizations except that a user cannot view the source code of a program. if there is a possiblity to create a role, what should be the authorization objects that i can assign to that role apart from S_Develop

Thank you

Regards

Vanitha

Former Member
In response to Former Member

‎01-08-2009 10:46 AM

0 Kudos

I agree with Auke. SA38 will check S_PROGRAM to submit the report and not S_DEVELOP to display the source code unless the user runs a report which does that - but then the S_DEVELOP checks will kick in again.

Former Member
In response to Former Member

‎01-08-2009 11:11 AM

0 Kudos

when you use SA38 and in S_PROGRAM only allow for activity submit than there is no way of displaying

Former Member
In response to Former Member

‎01-08-2009 11:31 AM

0 Kudos

But without S_develop , it does not allow to execute any program.

Former Member
In response to Former Member

‎01-08-2009 12:43 PM

0 Kudos

> 

> But without S_develop , it does not allow to execute any program.

Not true. It will however depend on your choice of transaction (that is why the choice of transaction is important when designing roles for processes...).

Actually, even VARIANT as P_ACTION of S_PROGRAM is enough to submit it.

Cheers,

Julius

Former Member
In response to Former Member

‎01-08-2009 12:50 PM

0 Kudos

But if user want to execute the program to Se38 only , then S_develop is mandatory.Without S_DEVELOP authorization object it will not allow to execute tcode too. As Julius said " It will however depend on your choice of transaction "

Regards,

Sneha

Former Member
In response to Former Member

‎01-08-2009 12:53 PM

0 Kudos

> 

> But if user want to execute the program to Se38 only , then S_develop is mandatory.Without S_DEVELOP authorization object it will not allow to execute tcode too. As Julius said " It will however depend on your choice of transaction "

Stated like that it is almost correct - SE38 is a report type program. The checks you are refering to happen when you start the transaction.

BTW: To tweak the concept further to meet your needs if you cannot restrict S_DEVELOP for what ever reasons, there are 2 exits which can be activated, one which will activate a check on actvt 16 of S_DEVELOP for object_type PROG... and another one in the editor with which you can do a lot more.

But generally, restricting S_DEVELOP is the best and safest route to take.

Cheers,

Julius

Edited by: Julius Bussche on Jan 8, 2009 2:00 PM

Former Member
In response to Former Member

‎01-08-2009 12:55 PM

0 Kudos

Vanitha,

What steps are you planning on taking to stop the user being able to add back the access to be able to view the code? SAP_ALL without certain S_PROGRAM or S_DEVELOP authorisations will still give the user the ability to assign themselves different access, create a new user etc. They can also trash the system!

Former Member

‎01-09-2009 6:15 AM

0 Kudos

Hello Experts!,

Problem solved. I have created role with the selection criteria and removed all the authorization objects that are not needed according to the requirement.

Thank you all for your help

Regards

Vanitha

Former Member

‎01-11-2009 1:31 AM

0 Kudos

we just need S_DEVELOP for SE38 or S_PROGRAM for SA38 to execute any program....