Excluding transactions within an Authorization rol...

Former Member · ‎04-20-2010

Dear Guru's,

Does anyone have any idea of the possibility to exclude transactions (or values of authorization object S_TCODE) from lets say a SAP_ALL profile when profile SAP_ALL is imported as base profile in a role? The reason I'm asking is that we want to provide some of the consulants of a SAP_ALL profile, except for some transactions we describe as 'critical' like the SCC* range. I have tried several possible solutions including the use of multiple standard SAP roles and profiles but it doesn't seem to work like the way I want it to work.

Any suggestions in this matter are welcome.

Best regards, Ron

Former Member · ‎04-20-2010

First of all, the method you are thinking is not valid. everything except few will not work in the long term. You will start spending hours and hours when you start looking things at different prespective.

if you still want to continue, create a role and go to Authorizations, and inside Edit --> Insert Authorization --> From profile.

You can now edit the s_tcode object. If you still can't edit it do as below.

1. Goto se16 or se16n

2. enter the role name andfind all the tcodes (make sure you remove the 500 limit)

3. Now download the transactions, goto the role

4. Deactivate the exisitng s_tcode, add new instance of S_TCODE and copy the transactions

Or as a last option, you can maintain the ranges in S_TCODE object.

Regards,

Gowrinadh

Former Member · ‎04-20-2010

I remember that Gods favourite son mentioning on the Forum that "Role maintenance is about Inclusions and not Exclusions" - i dont remember the thread, but i remember the advice

and run..........before he reads this post

Former Member · ‎04-20-2010

"Role maintenance is about Inclusions and not Exclusions"

100% Correct Advise. Security is about inclusions not exclusions to resources.

matt_daniels · ‎04-20-2010

Hello,

I have done this for consultants- hope this helps

1. PFCG- First create a new blank role- name = YCOPY_SAP_ALL

2. Go to the role tab authorizations and click Expert Made for Profile Generation. It will ask you to select a template just choose SAP_ALL. Click the check mark and you will have a copy of sap_all in a role.

3. Regenerate the role and open the object S_TCODE- here just include a range for the tcodes- In the range you can bypass certain tcodes- there you have it -- SAP_ALL with only the tcodes you want.

4. Below is an example of a tcode range for S_TCODE.

/*

0* 9*

A* BD86

BD88

SQ_* STMR

STMT WE10

S_ALR_87012284

WE12 Z*

jurjen_heeck · ‎04-21-2010

> 3. Regenerate the role and open the object S_TCODE- here just include a range for the tcodes- In the range you can bypass certain tcodes- there you have it -- SAP_ALL with only the tcodes you want.

Okay, you've locked the front door but unfortunately you've left all windows open. Giving out a copy of SAP_ALL created this way isn't a secure solution. I've created copies of SAP_ALL as well, especially in early project fases and mostly left * in S_TCODE as the transactions themselves are hardly interesting. They're entry pooints to the software which really needs protection. Start by looking at system administration objects like: S_ADMI_FCD S_USER_GRP, S_USER_AGR etc

And be aware of the fact that an S_DEVELOP object with only star values (like you'll get with such a role) will allow the user to bypass any authorization check......

Former Member · ‎04-21-2010

This message was moderated.

Former Member · ‎04-21-2010

sorry, english should have been better to understand.

Regards,

Gowrinadh

Excluding transactions within an Authorization role/profile