01-08-2009 10:06 AM
Hello Experts,
I have created an User and given him SAP_ALL authorizations. Now the requirement is, that user should have all the authorizations like SAP_ALL expect he should not be able to view the source code of the program in SA38. He shoule be able to execute it, but not able to display the source code. Any role that i can create with this criteria. Please i need you suggestions.
Thanks a lot
Regards
Vanitha
Edited by: Vanitha badampudi on Jan 8, 2009 11:07 AM
Edited by: Vanitha badampudi on Jan 8, 2009 11:08 AM
01-08-2009 10:22 AM
I am certain that you can not achieve the described restriction while the users has SAP_ALL profile assigned to him/her.
That's the entire point of SAP_ALL (and its cousin SAP_NEW).
You can not create a role to restrict, you can only create a role to allow - SAP security uses whitelisting, not blacklisting.
01-08-2009 10:32 AM
two possible options:
1 create your own SAP_ALL (copy profile SAP_ALL into a role into the profile generator and limit that) take out all change/create in S_Program.
2 create a role with ONLY SA38 and be sure not to give other activities than display in any object. Secodnly create role for all other access this user needs and be sure not to give wider access in any object than display as far as the objects are the same as in teh SA38 role,
Second option is better , besides one should NEVER| give SAP_ALL in ANY SAP system!
01-08-2009 10:32 AM
Hi Vanitha,
I think ,you can not restrict only display authorization allowing user execute activity. While executing any program in SE38, it also checkes for 03 actvt.
Regards,
Sneha
01-08-2009 10:34 AM
Thankyou for that answer.
My question is, can i create a role which has all the authorizations except that a user cannot view the source code of a program. if there is a possiblity to create a role, what should be the authorization objects that i can assign to that role apart from S_Develop
Thank you
Regards
Vanitha
01-08-2009 10:46 AM
I agree with Auke. SA38 will check S_PROGRAM to submit the report and not S_DEVELOP to display the source code unless the user runs a report which does that - but then the S_DEVELOP checks will kick in again.
01-08-2009 11:11 AM
when you use SA38 and in S_PROGRAM only allow for activity submit than there is no way of displaying
01-08-2009 11:31 AM
01-08-2009 12:43 PM
>
> But without S_develop , it does not allow to execute any program.
Not true. It will however depend on your choice of transaction (that is why the choice of transaction is important when designing roles for processes...).
Actually, even VARIANT as P_ACTION of S_PROGRAM is enough to submit it.
Cheers,
Julius
01-08-2009 12:50 PM
But if user want to execute the program to Se38 only , then S_develop is mandatory.Without S_DEVELOP authorization object it will not allow to execute tcode too. As Julius said " It will however depend on your choice of transaction "
Regards,
Sneha
01-08-2009 12:53 PM
>
> But if user want to execute the program to Se38 only , then S_develop is mandatory.Without S_DEVELOP authorization object it will not allow to execute tcode too. As Julius said " It will however depend on your choice of transaction "
Stated like that it is almost correct - SE38 is a report type program. The checks you are refering to happen when you start the transaction.
BTW: To tweak the concept further to meet your needs if you cannot restrict S_DEVELOP for what ever reasons, there are 2 exits which can be activated, one which will activate a check on actvt 16 of S_DEVELOP for object_type PROG... and another one in the editor with which you can do a lot more.
But generally, restricting S_DEVELOP is the best and safest route to take.
Cheers,
Julius
Edited by: Julius Bussche on Jan 8, 2009 2:00 PM
01-08-2009 12:55 PM
Vanitha,
What steps are you planning on taking to stop the user being able to add back the access to be able to view the code? SAP_ALL without certain S_PROGRAM or S_DEVELOP authorisations will still give the user the ability to assign themselves different access, create a new user etc. They can also trash the system!
01-09-2009 6:15 AM
Hello Experts!,
Problem solved. I have created role with the selection criteria and removed all the authorization objects that are not needed according to the requirement.
Thank you all for your help
Regards
Vanitha
01-11-2009 1:31 AM
we just need S_DEVELOP for SE38 or S_PROGRAM for SA38 to execute any program....