Solved: SA38 in display mode only

former_member220071 · ‎10-12-2012

Dear All,

We have query about T Code SA38.For one of the Z program we need to give SA38 transcation for the user .But we need He/She does not post any entry using this T Code.User will get only display mode only in SA38.

Kindly Suggest your opinion.

Thanks & Regards,

Abhijit

paula_w_arnold · ‎10-12-2012

I have mixed feelings as to whether this is an interview question or whether you are asking for a real situation. On the case that you are asking for real, I do not want you to be headed in the wrong direction but also advise you to take an SAP security training class as this is basic access.

P_ACTION controls how the user runs the program but does not restrict the program to display or update. It controls whether the user can run the program in foreground, background or a variant of a program. But the variant will restrict on the available fields, not whether the user can display or post.

P_GROUP controls which program authorization groups the user has access to.

Granting SA38 will allow them to run more than this one program unless all of your executable programs are in unique authorization groups and you only give them this one authorization group.

If the individual program does any additional authorization checks then they will only be able to run the program if they have those additional authorization checks. However if the program that you are mentioning does not have additional authorization checks within the code and if the program performs an update, then the user will be able to do that update as long as he has access to the program authorization group.

You may want to consider:

1) asking the ABAPer to confirm if he has added any authorization checks to the program and what they are. If the program has posting capability and he has not added additional authorization checks, then your user will be able to post.

2) asking your ABAPer to create a custom transaction code for the program so that you do not have to issue SA38 to the user.

Former Member · ‎10-12-2012

SA38, there's only S_PROGRAM authorization object check - P_ACTION and P_GROUP .I assume controlling the value of these objects should let you control the access.

Please try.

Thanks ,

Dev

former_member220071 · ‎10-12-2012

Dear Devpriy,

Thanks for your reply, i want to know could we control activity of the user so that He/She could not post the document using this T Code ( Restrict only to Display )

In P_ACTION there are three activity.

BTCSUBMIT

SUBMIT

VARIANT

What is P_Group object ? could we give only those program those we want to assign to user.

Thanks & Regards,

Abhijit

Former Member · ‎10-16-2012

Hi Abhijeet,

Through any of the auth. object P_ACTION or P_GROUP you can not restrict user to post the document. For restricting user to posting the documents, you need to ask ABAP person to make this restrcition in code.

Thanks,

Varun Jain

Former Member · ‎10-12-2012

This message was moderated.

paula_w_arnold · ‎10-12-2012

I have mixed feelings as to whether this is an interview question or whether you are asking for a real situation. On the case that you are asking for real, I do not want you to be headed in the wrong direction but also advise you to take an SAP security training class as this is basic access.

P_ACTION controls how the user runs the program but does not restrict the program to display or update. It controls whether the user can run the program in foreground, background or a variant of a program. But the variant will restrict on the available fields, not whether the user can display or post.

P_GROUP controls which program authorization groups the user has access to.

Granting SA38 will allow them to run more than this one program unless all of your executable programs are in unique authorization groups and you only give them this one authorization group.

If the individual program does any additional authorization checks then they will only be able to run the program if they have those additional authorization checks. However if the program that you are mentioning does not have additional authorization checks within the code and if the program performs an update, then the user will be able to do that update as long as he has access to the program authorization group.

You may want to consider:

1) asking the ABAPer to confirm if he has added any authorization checks to the program and what they are. If the program has posting capability and he has not added additional authorization checks, then your user will be able to post.

2) asking your ABAPer to create a custom transaction code for the program so that you do not have to issue SA38 to the user.

former_member220071 · ‎10-16-2012

Thank your Varun & Paula,

Dear Paula,

This is real life scenario , we have one user which having only display authorization.

As per his requirement we developed program, which need to be executed through SA38.

Now ABAPer developed new T code, so that user will execute the program by executing T Code.

Thanks once again for helpful answer.

Thanks

Abhijit

koehntopp · ‎10-17-2012

Creating a proper transaction with its own authority checks is always preferrable to using SA38, as convenient as it may be...

Frank.