06-30-2009 1:09 PM
Dear All,
i have problems with some Tcodes like SPRO, SCC4, OBYC.. etc. I did not put these tcodes in the Role while assigned users are using this tcodes.
I have assigned S_A.Develop profile to ABAPER and he has authorization of SPRO and SCC4. here i want to block the SPRO and SCC4 tcodes for abaper.
May i edit the S_A.Develop profile like Role edit?
Regards,
majamil
06-30-2009 1:37 PM
To be on the the safe side I think you should build a role based on a copy of this profile, edit this role and assign that to your developers. The original profile may be overwritten during upgrades tec.
06-30-2009 1:37 PM
To be on the the safe side I think you should build a role based on a copy of this profile, edit this role and assign that to your developers. The original profile may be overwritten during upgrades tec.
06-30-2009 2:02 PM
Dear Jurjen,
you should build a role based on a copy of this profile
how can i get the those tcodes which exist in S_A.Develop profile?
May i edit(add, delete) the Authorization and tcodes of this profile?
Regards,
06-30-2009 2:06 PM
Hi,
Go to suim->Transactions->By profiles. Give profile names. You will find the list of transactions. Please check and let us know if any issue.
Regards
Aveek.
06-30-2009 2:50 PM
Hi,
Role or Profile whatever it is, please do not use the standard one (SAP Delivered). If you want to use any of these, please copy into customer name space (Y* & Z*) and change accordingly. Do not change anything which is SAP Delivered.
Regards,
Dipanjan
06-30-2009 3:02 PM
> how can i get the those tcodes which exist in S_A.Develop profile?
On second thought, I've had a look at this profile and must admit your question cannot properly answered. The S_A.Develop profile also contains debugging rights which means your developers will be able to bypass any authorization checks. Developers will need these rights in a develoment system.
Better start by building a proper role from scratch, with the transactions you do want them to execute...
07-01-2009 12:03 PM
hi jurjen,
thanks for replies.
leave the ABAPER case
now i want to remove SPRO and SCC4 tcodes from other user because these are very critical tcodes.
how can i do it?
07-01-2009 12:29 PM
> now i want to remove SPRO and SCC4 tcodes from other user because these are very critical tcodes.
SPRO is not a dangerous transaction. It is just one of many entry-points to the customizing. This is a subject often discussed in the forum.
As far as SCC4 is concerned I think you want to restric peolpe from client maintenance. Have a look at the following objects/values I found in a trace after changing client settings:
S_TABU_DIS ACTVT=02;DICBERCLS=SS;
S_TABU_CLI CLIIDMAINT=X;
A person without these authorizations will not be able to change client settings. Besides these, S_ADMI_FCD with value T000 is neccesary to create clients.
Basically I disagree on the term "critical tcodes". There are critical actions in a system but tcodes are only entry-points. It's like having a room full of arms and explosives and declaring the door to be the dangerous part........
The misunderstanding often seen is that you do not want people to enter such a room and hope to accomplish that by making sure no one opens the front door. Slowly but surely you'll focus on the door knob or lock without paying any attention to the rest of the building. There may be other doors and windows as well......
07-02-2009 6:25 AM
Basically I disagree on the term "critical tcodes". There are critical actions in a system
but tcodes are only entry-points. It's like having a room full of arms and explosives and
declaring the door to be the dangerous part........
The misunderstanding often seen is that you do not want people to enter such a room and
hope to accomplish that by making sure no one opens the front door. Slowly but surely
you'll focus on the door knob or lock without paying any attention to the rest of the building.
There may be other doors and windows as well......
Thanks for this Beautiful Advice
Jurjen... If someone have authorization of SPRO then he can make changing in defined Project. and i don't want to take this
risk. my manager also said me that you have to block SPRO for users for the specific time.
For Knowledge sharing with other SDN users.
there is a Authorization Object (S_Project) and we can manage the Activity of SPRO tcode with this AO.
Now tell me
i checked the PFCG tcode and user can use this code. I searched its Objects(S_USER_AGR , S_USER_TCD) but these are not exist in that role but assinged users are using pfcg.
how can i manage the PFCG tcode ?
Thanks and Best regards,
Regards,
majamil
07-02-2009 7:39 AM
> I searched its Objects(S_USER_AGR , S_USER_TCD) but these are not exist in that role but assinged users are using pfcg.
> how can i manage the PFCG tcode ?
I suspect there's another role or profile assigned to these users which does contain these objects. Just looking into the one role where the transacion is in will not tell you the whole story. Have you tried looking at the user buffer for these users with the specific objects? (SU56)
07-02-2009 12:51 PM
thanks Jurjen for the support problem almost rectified with the help of SU24, SE93 , SUIM and SU56.
Regards,
majamil
06-30-2009 1:42 PM
Hi,
If you are using version 4.6C and above, you are advisable to assign roles instead of profiles . You ca assign roles which does not have the mentioned transactions to the users .
Dipesh.