04-09-2013 3:52 PM
Hi,
I know that I have to execute the authority trace on the same application server to see any results.
Maybe an user and the authority admin are on different application server. So the authority admin could execute transaction SM51 to change the application server.
But when the authority admin has authority for transaction SM51 he can stop processes. That is not secure!
Is there a solution for Release < 7.30?
I heard with 7.30 it is possible to choose the system or server for which the trace should be shown.
Thank you and
Best Regards
Bjoern
04-10-2013 4:16 AM
Hi Bjoern
I'm pretty sure you can allow the SM50/51/SM04 for the Security person to switch app servers without granting S_ADMI_FCD = PADM
S_ADMI_FCD enables stopping of processes.
Shivraj is right in the work around. However, depending on how you have implemented SAPGUI with saplogon.ini file you may not want to add it to the SAPLogon. For example, if you have load balancing in place but list all the app servers users are most likely to choose the first.
04-09-2013 6:09 PM
Bjoern,
One work around for this scenario i.e. switching between servers without using SM51, that I have worked with is to create manual logons directly to the application server in GUI Pad. Then you can check the user's server from AL08 etc. and directly logon to that server. Hope it helps.
Regards,
Shivraj
04-10-2013 4:16 AM
Hi Bjoern
I'm pretty sure you can allow the SM50/51/SM04 for the Security person to switch app servers without granting S_ADMI_FCD = PADM
S_ADMI_FCD enables stopping of processes.
Shivraj is right in the work around. However, depending on how you have implemented SAPGUI with saplogon.ini file you may not want to add it to the SAPLogon. For example, if you have load balancing in place but list all the app servers users are most likely to choose the first.