MR transaction runnable despite not in S_TCODE

Former Member · ‎05-13-2012

Dear gurus,

need your help to understand a strange problem I'm facing.

I have created a role in PFCG from different menu areas.

I have deleted all the MR* transaction (es for example MR03). My role is correctly generated and it's all green.

I have assigned it to a test user but it can run the transaction!!

I made a trace from ST01 and it shows that he can do this because is in S_TCODE. but in the role the transactions is missing.

Would you mind to give me an help?

someone of you faced it?

Former Member · ‎05-13-2012

Hi Kir,

There could be many reasons Start with checking the user authorization buffer using tcode SU56. This will show you all the authorization objects available in user buffer, search for S_TCODE and then check from where the access is available. My guess, some profiles might be already assigned to this test user.

Cheers !!

Zaheer Kazi

Former Member · ‎05-14-2012

Hello Zaheer, thank you for the answer. I tried your suggestion but in SU56 for S_TCODE all the MR* transacation are NOT available for the user.

But he can run them without any restriction. I'm thinking it's a bug.

Former Member · ‎05-14-2012

Hi Kir,

Please check the S_TCODE object(S) within your role for any wildcard or range which includes MR* tcodes. Also make sure that your test user does not have any SAP profile assignments in SU01.

Just my 2 cents!

Thanks

Sandipan

Former Member · ‎05-14-2012

Yes, please check ranges and wildcards also. If that doesn't work out, check out the RZ11 parameter to disable auth checks for tcodes.

Cheers !!
Zaheer

Former Member · ‎05-14-2012

Hello Zaheer - Sandipan,

thank you again. in the role for S_TCODE there's no wildcard and no MR* transaction. I have checked it several time.

For Zaheer. What do I have to check in Rz11, which parameter?

regards

Former Member · ‎05-14-2012

Try auth/tcodes_not_checked.

Silly question, but did you tried SUIM for transaction and S_TCODE object search.

Cheers !!

Zaheer

Former Member · ‎05-15-2012

Hi,

ST01 will show S_TCODE MRxx if the user tries to execute the transaction - even if he/she doesn't have the auth. It is the return code that matters.

You might also check transaction SU24 (see attachment) and verify that the check indicator is set to the value 'C' (check) for the MR** trx's.

Also, not likely because it is standard code, but make sure the AUTHORITY-CHECK is not being bypassed in the relevant program(s).

Cheers,

MWW.

Former Member · ‎05-15-2012

Hi Michael,

As far I know SAP doesn't allow you change Check Indicators for BC and HR related objects.

Cheers !!
Zaheer

Former Member · ‎05-15-2012

Spot on Zaheer! In addition to that, authorization check on S_TCODE is carried out in Kernel and is not controlled by SU24 check indicator status

Kir,

As already suggested above, please let us know the values of parameter- auth/tcodes_not_checked from tcode RZ11 or TU02.

Thanks

Sandipan

Former Member · ‎05-15-2012

Hello,

I have checked the parameter susuggested by Zeheer nad I have no value (empty) so I think it's those transaction are not excluded from the check.

The user does not have any other profile or role added.

My system is an EHP5 with all the security notes applied.

Just to add an info the role was created selecting the menu tree.

I did not try creating one from another role.

Someone of you has an EHP5 and faced in it the same problem?

Bernhard_SAP · ‎05-15-2012

Hello Kir,

one additional idea: please check the user, if he has a reference user assigned for additional authorizations (SU01->tab roles).

If not, I suggest to open a message at SAP (BC-SEC-AUT).

b.rgds, Bernhard

Former Member · ‎05-15-2012

Aha.. Bernhard, i almost missed that "Reference User"

Cheers !!

Zaheer Kazi