02-12-2009 5:58 AM
Hello,
I have taken all precautions to restrict authorizations to users in a system, still some of them are able to execute SCC4. I think there is some report/function using which you can execute transactions which you do not have access to.
Could some one please tell me the name of that report and how I can restrict it.
Thanks.
02-12-2009 6:14 AM
Hi Gautam,
Please check whether user is having access to display all tcodes, if so you need to take the tcode from s_tcode object from that role.
Check in SUIM tcode >>> transactions executable for user and check whether this tcodes exits or not.
02-12-2009 6:21 AM
Make sure param rec/client is set to ALL, and check tocde SCU3 for changes to table T000.
ALL = all clients... the changes can be made from other clients...
Cheers,
Julius
02-12-2009 6:26 AM
Julius,
The thing is he is able to access a lot of other restricted Tcodes, not just SCC4. I just wanted to know if there are any loopholes that we, as security admins should do to block these loopholes.
02-12-2009 8:45 AM
Hello,
Check whether users has any super role access? If so, then he will be able to access all the T-codes.
You can create a role and add only those T-codes he/she needs acces.
Regards,
Geetha
02-12-2009 8:56 AM
> Check whether users has any super role access? If so, then he will be able to access all the T-codes.
Super role? What should that be?
I'd suggest to do a complete user compare for the user, and afterwards have a look in SU01 to see which profiles are actually linked to the user. Make sure those are only the profiles belonging to your roles.
02-12-2009 8:42 PM
>
> Julius,
>
> The thing is he is able to access a lot of other restricted Tcodes, not just SCC4. I just wanted to know if there are any loopholes that we, as security admins should do to block these loopholes.
Which release are you on?
Assuming it is 6.40 or higher, go to tcode SUIM (or report RSUSR002) "Users by Complex selection criteria" and run it for Object 1 = 'S_DEVELOP' Activity = '16' ObjectType = 'FUGR'.
Do any of the users turn up?
Also, where are you getting this information from that they are (successfully) starting tcode SCC4? Are they also using it (making changes)?
Cheers,
Julius
02-13-2009 12:23 AM
OK - I'll join this thread.
If you know it's not a SAP_ALL profile - do the following to check the offending role/roles:
1. Go to SU01->Roles and copy all the roles assigned to the user.
2. Go to SE16->AGR_1251->ROLES-> paste all the roles, OBJECT-> enter S_TCODE, VALUE-> enter SCC4 then Execute.
This should display all the roles that gives access to SSC4. You can even do ranges on the value like S* to T*. You can also run PFCG and click on transaction and enter SCC4, roles having that tcode will be displayed.
Good Luck!