removing authorization for SPRO transaction

Former Member · ‎07-22-2009

Hi experts,

I am working on ECC 6.0 and MSSQL Server. How to get the authorization object for Tcode SPRO. i have tried to find it out through SE80 but could not get the authorization object. I have mistakenly added object related to SPRO tcode. and user got the authorization to log in to SPRO. Now i tried to find out in all roles assigned to him but could not get SPRO tcode in his menu but still he is able to perform SPRO. Please suggest as i have made temporary adjustment by locking the SPRO tcode.

Former Member · ‎07-22-2009

Take a look @ note,

Note 46546 - Display authorization for activities in IMG

Also have a look @ below post.

Regards,

Ravi

Former Member · ‎07-22-2009

Hi,

user may get this authorization by any direct assignment of profiles.. So check his access first..

If no profiles exist, then search roles against the users by "Roles by Complex selection" in SUIM with authorization object S_TCODE.

This should show you the role..

Else you can take authorization trace by ST01 while the user is running SPRO.. this will show you the all authorization checks for the particular activity.

Regards,

Sandip.

Former Member · ‎07-22-2009

Hi,

I think the best solution is to simulate the use of SPRO transaction and trace it via ST01 transaction.

You can disable the SPRO transaction via SM01, then nobody can use it.

Regards,

Gilles SEBBAG

Sap Technical consultant.

jurjen_heeck · ‎07-22-2009

> You can disable the SPRO transaction via SM01, then nobody can use it.

This is very bad advice as SPRO is only an entry point and blocking it will not secure your system in any way. Even without transaction SPRO all customizing activities behind it are still executable.

Former Member · ‎07-23-2009

Hi Jurjen,

I agree with your comment, but in production system you mustn't use the SPRO transaction. (in SCC4 and SE06 the system/client is closed for customizing)

Regards,

Gilles SEBBAG

jurjen_heeck · ‎07-23-2009

> I agree with your comment, but in production system you mustn't use the SPRO transaction. (in SCC4 and SE06 the system/client is closed for customizing)

What I'm saying is that the transaction SPRO itself is failry meaningless as far as security is concerned. It's the activities behind it that need to be taken care of. Closing the client for customizing is not enough. There are numerous activities wich are considered to be part of customizing but which are perfectly executable on a 'closed client'.

When someone advises to lock a transaction or exclude it by entering ranges in the S_TCODE object I must step in as this is no where near a secure solution.

Former Member · ‎07-24-2009

The best option would be to run ST01, This will help you to see the "checked auth objects" for SPRO

(As per your 3rd statement{I have mistakenly added object related to SPRO tcode}I feel that you have already the list

of auth objects for SPRO with you.

As Sandip mentioned run SUIM for viewing the roles which is having S_TCODE=SPRO, Based on the report, verify the role modification dates and revert if needed.

Many Thanks

P.

Former Member · ‎07-29-2009

Hi Vaibhav,

Not sure if you already resolve the issue , but you can give only SPRO display authorization as follows .

There is an SAP Note 46546 please follow that note

You can go to the Role for which you want to give only SPRO Display

click on Manually tab and give this authorization object S_TABU_DIS and give only display

This should solve your problem.

Regards,

Ershad Ahmed