Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Users authorized to start all Reports

Former Member

‎04-15-2009 8:39 PM

0 Kudos

Dear Gurus,

I'm administering a SAP system with about 400 users, and 99% of them have SE38 and SA38 authorizations so they can virtually start any kind of report.

In order to reduce this security hole the better solution is create a custom tcode for every report needed by my users, and after that removes the ability to use SE38/SA38, but this is a task that needs at least 2 or 3 months because I have to teach this u201Cnew way to worku201D to everyone.

My question is: do you know if itu2019s possible to setup a role that includes SE38/SA38 and grants only the Z* reports execution?

Thanks in advance,

Federico Biavati

4 REPLIES 4

Former Member

‎04-15-2009 10:07 PM

0 Kudos

Is there any specific reason not to block the unnecessary access instead of creating custom solution?

Former Member
In response to Former Member

‎04-15-2009 10:45 PM

0 Kudos

Hi Manoj,

The only reason is that I need time to show my users how to use the new custom transaction, instead of run reports from SE38/SA38.

And Iu2019m talking about 400 users in different departments.

But I agree with you that the better choice is to deny those kinds of accesses.

Thanks,

Federico

JPReyes
Active Contributor

‎04-15-2009 10:19 PM

0 Kudos

Moved to Security Forum

Former Member

‎04-15-2009 11:00 PM

0 Kudos

You could create a custom transaction which first verifies the name space of the report selected (Z*) and then calls a generic report "submitter" such as transaction START_REPORT or SUB%.

But often custom programmes are a part of the problem as well, or even a bigger one.

The best place for authority-checks are in the correct program coding locations regardless of the caller, and then only explicitly turn the check off again for special contexts (SU24, SE97, etc...).

Personally, when looking for a submittable report backdoor I do a quick check of latest support package notes which are not applied, and then go for the custom code (crispy on the outside, soft & GUI on the inside...

But if you don't have much custom development work and have knowledgable folks doing QA checks on transports (not just procedural...) then this sounds like a good strategy.

Cheers,

Julius