11-13-2013 8:44 PM
We have a situation where we are trying to limit SM58 to display only. As a standard behavior in SM58, a user cannot delete the trfc entries created by some one else, which is good. However, when they browse through Logfile -> Reorganize -> and execute they have access to delete every single log entry.
From security standpoint, the only object that is being checked in S_ADMI_FCD with NADM (this is being checked at the start of transaction). So, removing this object will not let users get into SM58. Our goal is to have people look at the logs and should not have access to use "Reorganize" option. Please let me know if there is any solution for this issue.
11-14-2013 1:13 AM
Hi,
as you said SM58 calls report RSARFCER when you click on menu entry re-organize. This report checks only for S_ADMI_FCD. SM58 also checks for this object so by default anyone with access to SM58 has access to delete entries. The check is not granular enough for your use case. Hence the only solution is to add additional check somewhere.
Unfortunately, RSARFCER does not have any suitable implicit enhancement point that could be used to add additional authorization check before deleting records. Double bad luck because SM58 does not offer a nice enhancement point either. But there is some hope. Here is a code that sets PF status and then calls routine to display results.
set pf-status 'LISTE'.
*perform top_of_page.
perform show_file.
You could use implicit enhancement point - beginning of routine show_file. You could perform additional authorization check there and if it fails then set pf status again but using excluding option to exclude option REOR.
Cheers
11-14-2013 6:54 AM
You should open a customer message to report this. As interim you can use S_PROGRAM though.
Cheers,
Julius