Solved: Authority Trace and Application Server

former_member620387 · ‎04-09-2013

Hi,

I know that I have to execute the authority trace on the same application server to see any results.

Maybe an user and the authority admin are on different application server. So the authority admin could execute transaction SM51 to change the application server.

But when the authority admin has authority for transaction SM51 he can stop processes. That is not secure!

Is there a solution for Release < 7.30?

I heard with 7.30 it is possible to choose the system or server for which the trace should be shown.

Thank you and

Best Regards

Bjoern

Colleen · ‎04-10-2013

Hi Bjoern

I'm pretty sure you can allow the SM50/51/SM04 for the Security person to switch app servers without granting S_ADMI_FCD = PADM

S_ADMI_FCD enables stopping of processes.

Shivraj is right in the work around. However, depending on how you have implemented SAPGUI with saplogon.ini file you may not want to add it to the SAPLogon. For example, if you have load balancing in place but list all the app servers users are most likely to choose the first.

shivraj_singh2 · ‎04-09-2013

Bjoern,

One work around for this scenario i.e. switching between servers without using SM51, that I have worked with is to create manual logons directly to the application server in GUI Pad. Then you can check the user's server from AL08 etc. and directly logon to that server. Hope it helps.

Regards,

Shivraj

Colleen · ‎04-10-2013

Hi Bjoern

I'm pretty sure you can allow the SM50/51/SM04 for the Security person to switch app servers without granting S_ADMI_FCD = PADM

S_ADMI_FCD enables stopping of processes.

Shivraj is right in the work around. However, depending on how you have implemented SAPGUI with saplogon.ini file you may not want to add it to the SAPLogon. For example, if you have load balancing in place but list all the app servers users are most likely to choose the first.