Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Restrict Authorization

former_member759680
Contributor

‎02-12-2009 5:58 AM

0 Kudos

Hello,

I have taken all precautions to restrict authorizations to users in a system, still some of them are able to execute SCC4. I think there is some report/function using which you can execute transactions which you do not have access to.

Could some one please tell me the name of that report and how I can restrict it.

Thanks.

7 REPLIES 7

Former Member

‎02-12-2009 6:14 AM

0 Kudos

Hi Gautam,

Please check whether user is having access to display all tcodes, if so you need to take the tcode from s_tcode object from that role.

Check in SUIM tcode >>> transactions executable for user and check whether this tcodes exits or not.

Former Member

‎02-12-2009 6:21 AM

0 Kudos

Make sure param rec/client is set to ALL, and check tocde SCU3 for changes to table T000.

ALL = all clients... the changes can be made from other clients...

Cheers,

Julius

former_member759680
Contributor
In response to Former Member

‎02-12-2009 6:26 AM

0 Kudos

Julius,

The thing is he is able to access a lot of other restricted Tcodes, not just SCC4. I just wanted to know if there are any loopholes that we, as security admins should do to block these loopholes.

Former Member
In response to Former Member

‎02-12-2009 8:45 AM

0 Kudos

Hello,

Check whether users has any super role access? If so, then he will be able to access all the T-codes.

You can create a role and add only those T-codes he/she needs acces.

Regards,

Geetha

jurjen_heeck
Active Contributor
In response to Former Member

‎02-12-2009 8:56 AM

0 Kudos

> Check whether users has any super role access? If so, then he will be able to access all the T-codes.

Super role? What should that be?

I'd suggest to do a complete user compare for the user, and afterwards have a look in SU01 to see which profiles are actually linked to the user. Make sure those are only the profiles belonging to your roles.

Former Member
In response to Former Member

‎02-12-2009 8:42 PM

0 Kudos

> 

> Julius,
> 
> The thing is he is able to access a lot of other restricted Tcodes, not just SCC4. I just wanted to know if there are any loopholes that we, as security admins should do to block these loopholes.

Which release are you on?

Assuming it is 6.40 or higher, go to tcode SUIM (or report RSUSR002) "Users by Complex selection criteria" and run it for Object 1 = 'S_DEVELOP' Activity = '16' ObjectType = 'FUGR'.

Do any of the users turn up?

Also, where are you getting this information from that they are (successfully) starting tcode SCC4? Are they also using it (making changes)?

Cheers,

Julius

Former Member

‎02-13-2009 12:23 AM

0 Kudos

OK - I'll join this thread.

If you know it's not a SAP_ALL profile - do the following to check the offending role/roles:

1. Go to SU01->Roles and copy all the roles assigned to the user.

2. Go to SE16->AGR_1251->ROLES-> paste all the roles, OBJECT-> enter S_TCODE, VALUE-> enter SCC4 then Execute.

This should display all the roles that gives access to SSC4. You can even do ranges on the value like S* to T*. You can also run PFCG and click on transaction and enter SCC4, roles having that tcode will be displayed.

Good Luck!