09-09-2011 4:12 PM
We are doing a role clean up and removed transactions from a general all user role that were causing SoD violations and access was restricted. It's audit time and guess what the transactions are still appearing in S_Tcode even though they are not in the menu. I ran a test this morning, using the general role, if you know to type the transaction code you can access it.
S_Tcode of course is un-editable and P_Tcode, I_Tcode, QM_tcode are not present so how do I get this transaction out of S_tcode so that my role security matches my intent?
09-09-2011 4:59 PM
This transaction is probabely a proposed S_TCODE value brought along by one of the transactions in the menu. Have a look in SU24 for all proposals that apply to the transactions in the menu for this role.
Jurjen
09-09-2011 5:39 PM
thank you for information. I can't turn off the proposals but this lead me to the auth object that I can restrict to make the transaction display only.
09-11-2011 9:16 AM
search through SUIM for the ROLE for the object S/P/I/Q/L_TCODE and the tcode which is executed.
09-11-2011 7:31 PM
Hi
Silly question...
Why would the all user role contain transactions/auth objects which create SoD's
Anyhoo
Glad you fixed it.
Regards
David
09-11-2011 10:30 PM
Nice observation
However for RFC usersit is generally a very bad idea to add the "common functions" role to them - but this is mostly because of the role itself...
Cheers,
Julius