Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Problem with Tcodes

former_member182034
Active Contributor
0 Kudos

Dear All,

i have problems with some Tcodes like SPRO, SCC4, OBYC.. etc. I did not put these tcodes in the Role while assigned users are using this tcodes.

I have assigned S_A.Develop profile to ABAPER and he has authorization of SPRO and SCC4. here i want to block the SPRO and SCC4 tcodes for abaper.

May i edit the S_A.Develop profile like Role edit?

Regards,

majamil

1 ACCEPTED SOLUTION

jurjen_heeck
Active Contributor
0 Kudos

To be on the the safe side I think you should build a role based on a copy of this profile, edit this role and assign that to your developers. The original profile may be overwritten during upgrades tec.

11 REPLIES 11

jurjen_heeck
Active Contributor
0 Kudos

To be on the the safe side I think you should build a role based on a copy of this profile, edit this role and assign that to your developers. The original profile may be overwritten during upgrades tec.

0 Kudos

Dear Jurjen,

you should build a role based on a copy of this profile

how can i get the those tcodes which exist in S_A.Develop profile?

May i edit(add, delete) the Authorization and tcodes of this profile?

Regards,

0 Kudos

Hi,

Go to suim->Transactions->By profiles. Give profile names. You will find the list of transactions. Please check and let us know if any issue.

Regards

Aveek.

0 Kudos

Hi,

Role or Profile whatever it is, please do not use the standard one (SAP Delivered). If you want to use any of these, please copy into customer name space (Y* & Z*) and change accordingly. Do not change anything which is SAP Delivered.

Regards,

Dipanjan

0 Kudos

> how can i get the those tcodes which exist in S_A.Develop profile?

On second thought, I've had a look at this profile and must admit your question cannot properly answered. The S_A.Develop profile also contains debugging rights which means your developers will be able to bypass any authorization checks. Developers will need these rights in a develoment system.

Better start by building a proper role from scratch, with the transactions you do want them to execute...

0 Kudos

hi jurjen,

thanks for replies.

leave the ABAPER case

now i want to remove SPRO and SCC4 tcodes from other user because these are very critical tcodes.

how can i do it?

0 Kudos

> now i want to remove SPRO and SCC4 tcodes from other user because these are very critical tcodes.

SPRO is not a dangerous transaction. It is just one of many entry-points to the customizing. This is a subject often discussed in the forum.

As far as SCC4 is concerned I think you want to restric peolpe from client maintenance. Have a look at the following objects/values I found in a trace after changing client settings:

S_TABU_DIS ACTVT=02;DICBERCLS=SS;

S_TABU_CLI CLIIDMAINT=X;

A person without these authorizations will not be able to change client settings. Besides these, S_ADMI_FCD with value T000 is neccesary to create clients.

Basically I disagree on the term "critical tcodes". There are critical actions in a system but tcodes are only entry-points. It's like having a room full of arms and explosives and declaring the door to be the dangerous part........

The misunderstanding often seen is that you do not want people to enter such a room and hope to accomplish that by making sure no one opens the front door. Slowly but surely you'll focus on the door knob or lock without paying any attention to the rest of the building. There may be other doors and windows as well......

0 Kudos
Basically I disagree on the term "critical tcodes". There are critical actions in a system 
but tcodes are only entry-points. It's like having a room full of arms and explosives and 
declaring the door to be the dangerous part........

The misunderstanding often seen is that you do not want people to enter such a room and
 hope to accomplish that by making sure no one opens the front door. Slowly but surely 
you'll focus on the door knob or lock without paying any attention to the rest of the building. 
There may be other doors and windows as well......

Thanks for this Beautiful Advice

Jurjen... If someone have authorization of SPRO then he can make changing in defined Project. and i don't want to take this

risk. my manager also said me that you have to block SPRO for users for the specific time.

For Knowledge sharing with other SDN users.

there is a Authorization Object (S_Project) and we can manage the Activity of SPRO tcode with this AO.

Now tell me

i checked the PFCG tcode and user can use this code. I searched its Objects(S_USER_AGR , S_USER_TCD) but these are not exist in that role but assinged users are using pfcg.

how can i manage the PFCG tcode ?

Thanks and Best regards,

Regards,

majamil

0 Kudos

> I searched its Objects(S_USER_AGR , S_USER_TCD) but these are not exist in that role but assinged users are using pfcg.

> how can i manage the PFCG tcode ?

I suspect there's another role or profile assigned to these users which does contain these objects. Just looking into the one role where the transacion is in will not tell you the whole story. Have you tried looking at the user buffer for these users with the specific objects? (SU56)

0 Kudos

thanks Jurjen for the support problem almost rectified with the help of SU24, SE93 , SUIM and SU56.

Regards,

majamil

Former Member
0 Kudos

Hi,

If you are using version 4.6C and above, you are advisable to assign roles instead of profiles . You ca assign roles which does not have the mentioned transactions to the users .

Dipesh.