07-31-2009 5:57 AM
Dear Gurus,
Can I lock some transection etc. SU01,SU10,PFCG for user has SAP_ALL profile?
I will change for consult users.
Thank for advise.
07-31-2009 6:01 AM
Hi
As far i know its not possbile when a user got SAP_ALL profile,any way just give a try locking Tcode from SM01 but that user can unlock it at any time, nope that wont work.
Regards
Uday
07-31-2009 6:01 AM
Hi
As far i know its not possbile when a user got SAP_ALL profile,any way just give a try locking Tcode from SM01 but that user can unlock it at any time, nope that wont work.
Regards
Uday
07-31-2009 10:55 AM
No, you need to create a new role with the right authorizations for you consultants.
Regards
Juan
08-03-2009 10:15 AM
You can copy sap_all profile and remove the authorisation to the tcodes for which you dont want the user should access.
08-03-2009 11:57 AM
Hi,
You can lock the trnsactions from tcode SM01, but the user with SAP_all can unlock them himself, so thats not the valid solution .
You can minimize the users which are assigned by SAP_all authorization .
Also i suggest you revoke the sap_all profile and give SAP_ALL_DISPLAY profile to the user who needs it(if he needs display one).
You can also give him another role S_A.Develop
Hope it helps.
Thanks
Ruchika
08-03-2009 12:49 PM
No,
It is tricky; you can create a role with sap_all profile. Deactivate some authorization object like i.e. S_USER_TCD, and check carefully authorization object may prevent working some other tCode also or remove the authorization to the tCodes....
It wouldnu2019t work.
Also i suggest you revoke the sap_all profile and give SAP_ALL_DISPLAY profile to the user who needs it(if he needs display one).
Regards
Yogu
08-03-2009 1:33 PM
Hi,
Try , restricting A.object S_user_tcd can restrict the access of t-codes like su01,pfcg. ...
Instead of locking all those tcodes . Just create New role Or otherwise Copy the Role Sap_all and assign the activity as Display.
or you can simply inactivate the user admin and role maintainance objects, before generating,
or you take both Transactions out of the Role and User maintenace objects...then generate , before assigning to your users.
Thanks.
Ramakrishna.
08-04-2009 10:18 AM
> Try , restricting A.object S_user_tcd can restrict the access of t-codes like su01,pfcg. ...
This is an incorrect answer.
Object S_USER_TCD only controls which transactions can be added to roles.
From SAP NetWeaver Application Server ABAP Security Guide, page 40:
Authorization system: Transactions in roles
This authorization object determines the transactions that an
administrator can assign to a role, and the transactions for which he or
she can assign transaction authorization (object S_TCODE).
Note that a user can only maintain ranges of transactions for the
S_TCODE authorization object in the Profile Generator if he or she has
full authorization for the S_USER_TCD authorization object. Otherwise,
he or she can only maintain individual values for the S_TCODE object.
08-04-2009 7:52 AM
08-04-2009 9:52 AM
You need to create proper roles for your consultants anything different to that is just a "hot fix" that you'll have to face in the future.
SAP_ALL_DISPLAY
That has not been delivered since 4.6c i think...
Moved to Security Forum
Regards
Juan