04-16-2009 8:38 AM
Hi Gurus,
We have a requirement to remove certain t-codes from the end user roles. However, in some of the role the value in s_tcode is "". As far as i know there is no way we can have a "" and still restrict access to certain t-codes. Can anybody confirm this or correct me if i am wrong?
Thanks,
Abhijit
04-16-2009 9:01 AM
Hi Abhijit,
You are correct that if "" is there in S_Tcode it will give access to all tcodes, however this also depends on the authoriziation object and the field values. If the related authorization objects are not available for the respective todes, then "" will not provide the correct access.
The best practice is always not to use "*" in S_tcode .
Regards,
Nilanjan
04-16-2009 1:20 PM
If the TCD field in your S_TCODE object is set to *, then what are the underlying authorizations? Removing one or more transactions bij defining ranges and thus excluding them may look like a solution but there is a great change the other authorizations in the same roles will allow the user to just bypass the transaction and use the functionality you're trying to deny anyway.
Building roles by taking transactions out of a too big role is like building a hous by digging cavities in a big pile of building material.
Best ask the person who made the requirement to specify what the users should have instead of what they shouldn't.....