Remove transaction access from users

Former Member · ‎05-11-2011

Hi Experts,

We have both ESS and R3 users(who are also ESS) in our project. We want to restrict an important transaction P*** which is accessible by all.

I have seen in suim --> roles --> by transactional assignments. There are few roles which contains those transactions but those are not assigned to all users only a few users.

Then I have created a dummy user and assigned only the ESS roles to it. which was made by copying from the standard ess roles. and I have seen that This user can access that transaction.

It means the transaction is somewhere in the ess roles but I cant find where it is.

Kindly tell how to remove it.

Former Member · ‎05-11-2011

Hi

Pls try using SUIM -> By Authorization Value -> S_TCODE..

(your P**** tcode may be part of su24 of other tcode which is in role menu)

--Kamal

Bernhard_SAP · ‎05-11-2011

...or contained in an interval (like S_TCODE= M* - R*)

Former Member · ‎05-11-2011

It means the transaction is somewhere in the ess roles but I cant find where it is.

If you are following a certain naming convention for these ESS roles then you can easily find the roles that contain a particular tcode in SUIM.

In SUIM select Roles-->Roles by complex selection criteria, and in the next screen that pops up you can mention the role(if you are following a certain naming convention for ESS roles, for ex. all ESS roles starts with E then you can put as E*) and in the Object field put S_TCODE(press enter) and Transaction code field put the Tcode which you are looking for.

Hope this might help you.

Regards,

Ritesh

Former Member · ‎05-24-2011

Hi,

Transaction codes are present in role at two different places.

1. You can check the role menu where you can find the T-code and remove it.

2. You can go inside the role and check the Object S_TCODE which may contain the required T-code in terms of interval also like A-Z due to which user will have access to that T-code.

3. There might be a case a T-code may be internally calling another T-code (you can check that from SE93) in that case S_TCODE for the Transaction code which is checked when T-code is ran is not checked and user might still have access to that T-code. So it might be that the T-code that you want to restrict that is P*** might be called after executing any other T-code as well.

Hope this helps.

Thanks

Former Member · ‎05-24-2011

HI,

I Agree with Deepak ,

Transaction can be checked in a role in Menu Tab, or in S_Tcode or user having access to a transaction S**** may be calling the transaction P****.

Thanks,

Sandeep

Former Member · ‎05-24-2011

Hi

Maybe looking at this from a table entry view may help as we haven't had a response back on the recent replies I'm assuming they aren't helping?

For the test user try outputting table AGR_USERS and then running table AGR_1251 populated with the list of roles already discovered from AGR_USERS. Do you see the transaction in field TCD? Try pivot table from exel...

Apart from this clunky method the previous replies cover it all perfectly anyway - just wondered if there was any progress on the post?

Cheers

David

goldy_verma · ‎05-25-2011

One of the best way is to check the table AGR_TCODES:

goto SE16 put table name AGR_TCODES EXECUTE IT.

put the name of tcode in field extended program P***** and in Agr name put * then execute it.

it will give you list of all role having tcode P*****.

Cheers

Goldy Verma

Former Member · ‎05-25-2011

Hi Goldy

Please refer to the previous posts in this thread as AGR_TCODES is limited to transactions present on the menu.

Hi
 Pls try using SUIM -> By Authorization Value -> S_TCODE..
 (your P**** tcode may be part of su24 of other tcode which is in role menu)
 
--Kamal

@ OP: it would be helpful to be given the actual transaction so that we can dig further using a real example rather than a hypothetical...

Cheers

David

Edited by: David Berry on May 25, 2011 10:18 PM