Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Restrict Reorganize option in SM58

Former Member
0 Kudos

We have a situation where we are trying to limit SM58 to display only. As a standard  behavior in SM58, a user cannot delete the trfc entries created by some one else, which is good. However, when they browse through Logfile -> Reorganize -> and execute they have access to delete every single log entry.

From security standpoint, the only object that is being checked in S_ADMI_FCD with NADM (this is being checked at the start of transaction). So, removing this object will not let users get into SM58. Our goal is to have people look at the logs and should not have access to use "Reorganize" option. Please let me know if there is any solution for this issue.

2 REPLIES 2

martin_voros
Active Contributor
0 Kudos

Hi,

as you said SM58 calls report RSARFCER when you click on menu entry re-organize. This report checks only for S_ADMI_FCD. SM58 also checks for this object so by default anyone with access to SM58 has access to delete entries. The check is not granular enough for your use case. Hence the only solution is to add additional check somewhere.

Unfortunately, RSARFCER does not have any suitable implicit enhancement point that could be used to add additional authorization check before deleting records. Double bad luck because SM58 does not offer a nice enhancement point either. But there is some hope. Here is a code that sets PF status and then calls routine to display results.

set pf-status 'LISTE'.

*perform top_of_page.

perform show_file.

You could use implicit enhancement point - beginning of routine show_file. You could perform additional authorization check there and if it fails then set pf status again but using excluding option to exclude option REOR.

Cheers

Former Member
0 Kudos

You should open a customer message to report this. As interim you can use S_PROGRAM though.

Cheers,

Julius