Solved: T-codes not assigned to user role but have access

Former Member · ‎11-29-2011

Dear Friends ,

I have few t-codes which I shouldn't be having and none of the roles I'm assigned to have access to these t-codes, for auditing purposes this access should be restricted but I'm not know how to approach , can some one throw some approach to figure this out ?

Thanks in advance .

martin_voros · ‎11-29-2011

Hi,

use one of the reports from SUIM or SU56 to figure out which profile/role gives you authorization to run that transaction. Are you talking about direct executing transaction? In some cases you can navigate to transaction from other transaction and authorization check is not performed or disabled.

Cheers

martin_voros · ‎11-29-2011

Hi,

use one of the reports from SUIM or SU56 to figure out which profile/role gives you authorization to run that transaction. Are you talking about direct executing transaction? In some cases you can navigate to transaction from other transaction and authorization check is not performed or disabled.

Cheers

Former Member · ‎11-29-2011

Yes - second the question - are you able to directly execute or are tumbling sideways into new transactions from some starting transaction?

If you are getting to transactions that you believe you do not have an S_TCODE for and you are getting to them via another transaction, check transaction SE97 or table TCDCOUPLES for the calling transations/relationships/settings.

Former Member · ‎11-29-2011

Mellisa - thanks a Millioon , well I was trying to execute FB01 and F-02 in production and that is what was causing problem , I executed table TCDCOUPLES and entered above t-codes under calling transaction and again there are several t-codes under called transactions which give me access to Fb01 and F-02 , so how do I resolve this ? I should not be having access to Fb01 and F-02 .

Thanks again ,

Former Member · ‎11-29-2011

That is tricky. The settings in SE97/TCDSPOUPLES will impact the entire system.

The only real answer (someone check me on this) is to check and make sure that all users who legitimately need the called transations have them in a role and then set the relationship in SE97 to do a check on the called transation. Be sure, though, this will impact the whole system so make absolutely sure everyone else is set first.

...and, obviously, make sure you don't actually have the called transation yourself

Former Member · ‎11-29-2011

Thanks so much Melissa, I'll try to do that and see how it works .

Former Member · ‎12-02-2011

Melissa - We are tyring to test this by creating a new role how do I know the list of t-codes in FICO to be blocked ( display only) in production as I know few of them which needs to be blocked but trying to get the consolidate all the t-codes , any advise ?

Thanks in advance,

Lakshmi.

Former Member · ‎12-02-2011

BIG EDIT..

After reading a few more times - you are worried that you have access to some transactions in PRD?

The strange thing is - you are posting in a security and authorisations forum about having access to finance transactions.

1. Are you an S&A bod?

2. Do you have profiles assigned?

3. Have you run the SUIM report for transactions executable for user?

4. Do you have RAR and does that show anything bad?

If you have been assigned a display all role which is now corrupted you will have more access than expected, your normal ST01 traces on yourself plus SUIM checks will throw up the causes if you haven't already checked through your roles and profiles listing.

What does SUIM give for users by complex =you/roles or profiles

Cheers

David

Edited by: David Berry on Dec 2, 2011 11:03 PM

Edited by: David Berry on Dec 2, 2011 11:11 PM

Edited by: David Berry on Dec 2, 2011 11:16 PM