Solved: SE38 restricted access

Former Member · ‎01-22-2007

Hi

Is there a way to create a profile which has access ONLY to DISPLAY programs in SE38( not to execute / create / display )

Version is R/3 4.5B

Can anyone help out?

Thanks in advance,

Manju

manohar_kappala2 · ‎01-23-2007

Hi,

You can create screen variants i.e we can define what options you can display on a particular screen. The transaction for doing this is SHD0 if I am not wrong. So I didnt get the exact meaning of a new client... But if your question is whether this changes can be made in the existing client, yes it can be done directly no need to create a new client.

But first try this in a Sandbox System and replicate them in the system where you want this changes to be effective.

Former Member · ‎01-22-2007

Hi,

I think not... we had a similar thought and tried with having 03 values inS_DEVELOP but were unable to restrict other options in SE38.

we now use this Tcode sparingly in assignment....

Let me know if u have any other work around...

Br,

Sri

Award points for helpful answers

Former Member · ‎01-23-2007

Hi Manju,

I thing u can do this by creating custom transaction code for those programs.

Regards,

Kiran

Former Member · ‎01-23-2007

Hi Kiran,

If i am not wrong, does this Custom Tcode help us to View the Code ???

Generally Z Tcodes are created to Run these programms but not display it...

Correct me if i am wrong.

Br,

Sri

Award points for helpful answers

manohar_kappala2 · ‎01-23-2007

Hi,

Using the S_DEVELOP object you can control access to create or change but not execute. Probably you can go for a screen variant where you can hide the execute button so that he will not be able to see it and so will not be able to execute it.

Regards,

Manohar

Former Member · ‎01-23-2007

Hi

If we hide the execute button, he can do it from the Menu rt !!?!!

And is it possible for customised T Code only to display without any other actions??

Or is it possible by creating a new client??

Thanks.

manohar_kappala2 · ‎01-23-2007

Hi,

You can create screen variants i.e we can define what options you can display on a particular screen. The transaction for doing this is SHD0 if I am not wrong. So I didnt get the exact meaning of a new client... But if your question is whether this changes can be made in the existing client, yes it can be done directly no need to create a new client.

But first try this in a Sandbox System and replicate them in the system where you want this changes to be effective.

Former Member · ‎01-23-2007

Hi,

there is a pitfall: A user having S_DEVELOP / 03 to display a program, can also run it (unless it is protected by an authorization group / by S_PROGRAM) - regardless of the TCODEs he has.

[The same is true for the even more "dangerous" function modules - but there is security note 587410 available to fix this in systems below 6.40. A similar "patch" for reports is not available as far as I know.]

As a consequence there are two routes:

1) Don't give S_DEVELOP / 03 to anybody on production. Instead create a custom transaction that displays (and only displays !) reports without checking for S_DEVELOP / 03.

Access to this new transaction could be controlled via its TCODE or - if higher granularity is required - via its functionality (e.g. limiting it to Z* programs) or via an additional "Z_DEVELOP" authorization object.

2) Close the "run ABAP" access by fully deploying S_PROGRAM authorizations, i.e. by filling the authorization group of all reports. This seems to be quite a hassle. It has been discussed in this forum already ...

Hope this gives a hint.

With kind regards,

Ralf

Former Member · ‎01-24-2007

Hello all

Thanks for the hepls !!