cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

R/3 Basis security Problem

Go to solution
Former Member

on ‎03-13-2007 12:12 PM

0 Kudos

Hi,

i am posting my problem below. Pls its urgent.

<b>Problem Description.</b>

Currently the project manager/ Business Analyst in the IT department downloads the output from the PMF jobs. The ultimate aim is to pass this job to the business but currently the role that is used to grant access to these reports is via SM37/SP01 using the BUSINESS_ANALYST role. But due to sensitivity of both SM37 and SP01 this role can't be assigned to the end user. There is currently no way of giving the endusers access to view the output without them being able to view too much.

Required Change :

<b>Required Change</b>

Enable the end users access to view the output from the PMF jobs , BUT restricting access to just view this output / job NOT everything in SP01 or SM37. The preference would be to add SP01 but in such a way that the user will only see output from this job and anything they’ve requested themselves.

reward points are guaranteed.

Regards,

Ravi G

Message was edited by:

Ravi Kumar Gunda

Message was edited by:

Ravi Kumar Gunda

Message was edited by:

Ravi Kumar Gunda

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎03-13-2007 1:44 PM
0 Kudos

hello,

you can restrict the users only to see by job name using object S_BTCH_JOB and in SP01 you can restric for the spool Long device names using object S_SPO_DEV.

Cheers,

-Sunil

Show replies
Show replies

Answers (1)

Answers (1)

Former Member
‎03-13-2007 2:11 PM
0 Kudos

Hi Ravi,

As long as you are giving only display access to Sm37 there is no need to restrict users to view only a specific job. We have assigned SM37 without selective display restrictions to end users and we are SOX compliant.

The point is that you have to ensure users are not able to change or repeat schedule the jobs through SM37.

S_BTCH_JOB is not very helpful. In S_BTCH_JOB if you give JOBACTION as SHOW then the user is able to see all the jobs including his own ones. JOBGROUP always must have value * for the object. Now in your case not only user should be able to see his own jobs but also a specific job whose owner will be somebody else. if you dont give show then he also wont be able to see the spool requests for jobs other than his own and neither be able to display jobdetails for other users job through SM37. Check OSS note 101146.Check the documentation of this object in SU21 transaction under object class BC_A.

Now I dont think that there is any danger in giving users the display access to all the jobs as long as they can not tamper with it. SHOW/LIST values in job action will ensure that the user is not able to change jobs other than his own.

Now coming to SP01. Ensure no user has SP01 and SP0R in auth object S_ADMI_FCD. This will ensure that he is able to view only his own spools. In case you want to give him access to view spools for even a single spool other than the one beloging to him you need to give access to SP0R or SP01.So this still doesnot solve the issue for you. Check OSS note 119147.

We had a similar requirement as yours. In order to solve the spool related issue we removed SP01 and SP0R from S_ADMI_FCD and then assigned it to select few users in end user department who were made responsible for spool display and download.

As of now SAP doesnot really help with this requirement. May be you can make use of user exits or create a custom based report that will lead to Sm37 and SP01.

Not sure if this was too helpful to you.

Regards.

Ruchit.

Message was edited by:

Ruchit Khushu

Message was edited by:

Ruchit Khushu

Show replies
Show replies
Ask a Question