Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

tcode not showing in SAP Menu

Former Member

‎04-03-2009 1:35 PM

0 Kudos

Hi All

some transaction (bs22, bs23 , fs02 , fs03 ) not showing in showing in sap manu , while user can execuite them. how can i restric the users , not use that tcode from existing Role which assign to them

Regard

Imran Khan

11 REPLIES 11

Former Member

‎04-03-2009 1:39 PM

0 Kudos

The relevant part of a role is not the menu but the underlying authorisation objects. Check the S_TCODE values for the user in question. If the mentioned transactions are included he can execute them regardless of whether they are in the role menu or not.

If you don't want that update the S_TCODE values (i.e. remove the transactions).

Former Member

‎04-03-2009 3:54 PM

0 Kudos

Hi Imran,

The users are getting access to the txn through the roles but these are not visible in the menu b'coz the

txn could have been inserted into the role manually and not through the role menu.

Hence, if you want to restrict the users from accessing the txn's (bs22, bs23 , fs02 , fs03 ), you will have to first find out the roles through which the users are having access to the above txn and then make changes accordingly to either the roles or the user profile of the users to suit your needs.

Thanks,

Saby..

jurjen_heeck
Active Contributor
In response to Former Member

‎04-03-2009 4:55 PM

0 Kudos

> txn could have been inserted into the role manually

This is not always the case. Some transactions may pull in other ones through their SU24 proposal values. In that case they'll be in a read only S_TCODE object....

sdipanjan
Active Contributor
In response to Former Member

‎04-03-2009 7:05 PM

0 Kudos

> 

Some transactions may pull in other ones through their SU24 proposal values. In that case they'll be in a read only S_TCODE object....

Hi,

This is as per Table TCDCOUPLES. The properties you guys are talking about is Calling-Called Transactions. And this is not as per SU24. This can be viewed and enforced in SE97.

Hello Imran,

You should not provide SAP Menue to the Endusers. Please restrict them by adjusting Initial Menu in SSM2 TCode (or in table: USERS_SSM). Please do not confuse TCode access of users with their Initial Menu. Please find out the available TCodes for every user by using following steps and then perform remediation:

1. Go to SE16 / SE16N and extract available roles for an user from Table AGR_USERS; download and save.

2. Now go to Table AGR_TCODES and put this list of roles.

3. Execute and save the list as local file.

Please let me know for any more information if needed.

Regards,

Dipanjan

Former Member
In response to Former Member

‎04-03-2009 8:42 PM

0 Kudos

>

> > 

> Some transactions may pull in other ones through their SU24 proposal values. In that case they'll be in a read only S_TCODE object....

>

> Hi,

> This is as per Table TCDCOUPLES. The properties you guys are talking about is Calling-Called Transactions. And this is not as per SU24. This can be viewed and enforced in SE97.

>

Actually Jurjen is right, there are plenty of transactions configured in SU24 to pull through extra transactions into S_TCODE.

TCDCOUPLES/SE97 is completely different and as you said, is related to to CALL TRANSACTION functionality

Former Member
In response to Former Member

‎04-03-2009 10:08 PM

0 Kudos

But both SU24 and SE97 can lead to the same observation.

The problem is that Imran has not told us how the observation is made... nor which transaction this is...

- SU24: The user can enter the transaction in the "ok-code" field directly, if he knows it....

- SE97: The user cannot enter the transaction in the "ok-code" field directly, even if he does know it - but he can navigate to it (typically with set parameters... ) and use function codes or subsequently start the transaction (/n...).

In both cases you will observe that the user successfully started the transaction (e.g. in the audit log) but the context can be very different and the system will react differently.

It is not necessarily a bad thing if the coding of the check is done correctly and at the correct location in the user navigation.

Personally, I think that calling a function module USING the parameters and managing the LUW's (logical units of work) is better than calling a transaction screen with them. That way the checks are consistent and the user cannot dodge them by navigating around or using Su53 to find what is hidden from them.

Cheers,

Julius

sdipanjan
Active Contributor
In response to Former Member

‎04-03-2009 10:19 PM

0 Kudos

> 

> Personally, I think that calling a function module USING the parameters and managing the LUW's (logical units of work) is better than calling a transaction screen with them. That way the checks are consistent and the user cannot dodge them by navigating around or using Su53 to find what is hidden from them.
> 
> Cheers,
> Julius

Absolutely right.. but all our discussions may confuse our dear friend Imran to guess what to do.

To Imran:

So, in a nutshell, the main task is to remove those Transactions from the roles to which users have access. Please do not confuse this with available menu of the user. I have already tried in my last post to provide the guide line of this process. Please take help from there as well from other posts too.

Please let us know for any query.

Regards,

Dipanjan

Former Member
In response to Former Member

‎04-03-2009 11:15 PM

0 Kudos

> Absolutely right.. but all our discussions may confuse our dear friend Imran to guess what to do.

To be blunt: That is Imran's problem, not the "Expert Forums" at SDN.

I devote a lot of time to helping others and learning from interesting discussions (and rejecting questions and answers which do not display a willingness to do a basic search first on their own - to keep the forum "clean").

If someone cannot understand an answer where reasonable effort has been put into making it understandable and discuss it further, then they need to get some training and put in more effort on their side, instead of dumping doubts into the forum.

I think Imran should become more active in this thread - and I don't mean "Tell me more about function modules?"

Thank you for your comments and contributions though and also to Imran for the question - the moderation is not intended to stop contributions in any way, but rather to keep the quality of the information exchange and "noise" at an acceptable standard.

Lets hope to hear more form Imran.

Cheers,

Julius

Former Member
In response to Former Member

‎04-04-2009 8:49 AM

0 Kudos

but my problem is still there , how can i find the tcode that i mension , while i have not asign them to the users but user can execuite them

regard

Imran

Former Member
In response to Former Member

‎04-04-2009 9:04 AM

0 Kudos

How??

Is the user entering FS02 in the "command window" and hitting "Enter", or, is the user in FB03 and double-clicking the account number?

Basically you need to decide whether you are going to allow it at all, or whether you want to allow it selectively by protecting certain accounts.

Only you can know this...

Julius

Former Member
In response to Former Member

‎04-07-2009 11:34 AM

0 Kudos

Hi Imran,

sap main screen consists two user menu's one is 1)sap menu 2)user menu

U have assigned a particular role to that particular the user contains that transactions ..So check the role by Pfcg .

Edited by: Naveen N on Apr 7, 2009 4:05 PM