Solved: Can I Lock some transection code for user grant SA...

Former Member · ‎07-31-2009

Dear Gurus,

Can I lock some transection etc. SU01,SU10,PFCG for user has SAP_ALL profile?

I will change for consult users.

Thank for advise.

Former Member · ‎07-31-2009

Hi

As far i know its not possbile when a user got SAP_ALL profile,any way just give a try locking Tcode from SM01 but that user can unlock it at any time, nope that wont work.

Regards

Uday

Former Member · ‎07-31-2009

Hi

As far i know its not possbile when a user got SAP_ALL profile,any way just give a try locking Tcode from SM01 but that user can unlock it at any time, nope that wont work.

Regards

Uday

JPReyes · ‎07-31-2009

No, you need to create a new role with the right authorizations for you consultants.

Regards

Juan

Former Member · ‎08-03-2009

You can copy sap_all profile and remove the authorisation to the tcodes for which you dont want the user should access.

Former Member · ‎08-03-2009

Hi,

You can lock the trnsactions from tcode SM01, but the user with SAP_all can unlock them himself, so thats not the valid solution .

You can minimize the users which are assigned by SAP_all authorization .

Also i suggest you revoke the sap_all profile and give SAP_ALL_DISPLAY profile to the user who needs it(if he needs display one).

You can also give him another role S_A.Develop

Hope it helps.

Thanks

Ruchika

Former Member · ‎08-03-2009

No,

It is tricky; you can create a role with sap_all profile. Deactivate some authorization object like i.e. S_USER_TCD, and check carefully authorization object may prevent working some other tCode also or remove the authorization to the tCodes....

It wouldnu2019t work.

Also i suggest you revoke the sap_all profile and give SAP_ALL_DISPLAY profile to the user who needs it(if he needs display one).

Regards

Yogu

Former Member · ‎08-03-2009

Hi,

Try , restricting A.object S_user_tcd can restrict the access of t-codes like su01,pfcg. ...

Instead of locking all those tcodes . Just create New role Or otherwise Copy the Role Sap_all and assign the activity as Display.

or you can simply inactivate the user admin and role maintainance objects, before generating,

or you take both Transactions out of the Role and User maintenace objects...then generate , before assigning to your users.

Thanks.

Ramakrishna.

jurjen_heeck · ‎08-04-2009

> Try , restricting A.object S_user_tcd can restrict the access of t-codes like su01,pfcg. ...

This is an incorrect answer.

Object S_USER_TCD only controls which transactions can be added to roles.

From SAP NetWeaver Application Server ABAP Security Guide, page 40:

Authorization system: Transactions in roles

This authorization object determines the transactions that an

administrator can assign to a role, and the transactions for which he or

she can assign transaction authorization (object S_TCODE).

Note that a user can only maintain ranges of transactions for the

S_TCODE authorization object in the Profile Generator if he or she has

full authorization for the S_USER_TCD authorization object. Otherwise,

he or she can only maintain individual values for the S_TCODE object.

Former Member · ‎08-04-2009

Thank very much,.

JPReyes · ‎08-04-2009

You need to create proper roles for your consultants anything different to that is just a "hot fix" that you'll have to face in the future.

SAP_ALL_DISPLAY

That has not been delivered since 4.6c i think...

Moved to Security Forum

Regards

Juan

Can I Lock some transection code for user grant SAP_ALL profile