Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Restriction of configuration and data migration transactions

Former Member

‎10-15-2012 8:10 PM

0 Kudos

Dear Forum,

I'm currently reviewing SAP profiles in a Retail company and I've found many end-users who have access to the following transactions: SPRO, SCAT, LSMW, SQVI, etc. ¿How can I restrict it? ¿Is it possible to use authorizations? ¿Which objects should I use?

Best regards,

Javier

3 REPLIES 3

Former Member

‎10-15-2012 8:57 PM

0 Kudos

Javier,

The easiest thing to do is remove the t-codes. But for each t-code there are relevant auth objects that control the functionality of each transaction. I would look in SU24 for each t-code and see with auth objects are proposed and restrict each object accordingly.

HuseyinBilgen
Active Contributor

‎10-15-2012 8:59 PM

0 Kudos

Hi,

First of all, you've to check the users Roles and Profiles. You can use SUIM TCODE for analysis. There , you've to find from which roles/profiles are these TCODES comes? Then you've 2 options:

1. Remove the TCODES (the ones you mentioned) from the roles/profiles they exist.

2. Create new roles (via PFCG) and give tcodes/area menus but remove the above TCODES. Then remove the users roles and give the newly created ones.

Former Member

‎10-15-2012 9:08 PM

0 Kudos

Hi Javier,

Malcolm's advice is sound. 

Before you do anything establish why users have access to the transaction codes.  It may be that they are misguidedly using them to support a business process which may grind to a halt if these are removed without providing an alternative to ensure that the process operates.  It could be that they have all been assigned an admin or data migration role and the answer is to remove this role rather than individual transactions.

Classifying the transactions can help focus your efforts. 

SQVI has a data leakage and inappropriate reporting risk but will not allow mass changes to data.  SPRO is only any use if users have access to change the tables behind it and the system is open to config changes (or the table settings permit).  I assume that if you haven't already then you will review tcode and auth object combinations to focus on what is executable & highest priority. 

SECATT and LSMW may be restricted to certain cases and be used to only upload certain bits of data (like pricing).  That is not to say that they aren't without risk but they only allow automation of what users already have been granted access to.

If in doubt it is worth enlisting the help of someone within your team (or client) who has role and user management experience who can advise of the implications of the actions which will be performed.

Good luck