Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

User able to access PU00 Tcode even though its not assigned.

Go to solution
Former Member

‎11-25-2013 10:31 PM

0 Kudos

Hi All,

Recently we have upgraded to ECC EHP6 from ECC6. I am finding strange thing in security.

A user is able to access PU00 Tcode even though its not assigned to a user via any role.

I have checked in SAP Role Menu and in authorization data as well, but there is no PU00. Even I ran SUIM to see which roles contains PU00 Tcode but did not find the role which is assigned to the user, but user is able to access the PU00.

I even checked the TCD Couples and did not see any thing unusual. Here is the screenshot.

and also I am adding Su24 Screenshot for reference. Here it is

We do have other landscape for ECC6, where this is working fine means user is unable to access PU00 if it is not assigned via role.

I know this issue is happening because of EHP6 Upgrade only, but could not identify the reason to fix the problem.

Please let me know if any body had similar issue, how to handle this.

Regards,

Krishna

Preview file
95 KB
Preview file
79 KB
1 ACCEPTED SOLUTION

Go to solution
Former Member

‎11-26-2013 4:17 PM

0 Kudos

Hi All,

I have created the test users via Secatt script and after creation I did not validate the test users roles, by mistake secatt has assigned same role  to all the user, which caused the issue.

Thanks for your interest and responses. I am closing this thread.

Regards,

Krishna R

2 REPLIES 2

Go to solution
Former Member

‎11-26-2013 9:35 AM

0 Kudos

Hi Krishna,

My client is also on EHP6 and we do not have this issue.

In case you used the SUIM report "Users by Transaction authorization", please note that this only checks transactions assigned through the role menu and will ignore any S_TCODE authorizations that were added manually to a role or acquired through a profile.

To make sure the user really doesn't have the authorization for PU00, please run following reports:

- SUIM - "Users by authorization values" using object S_TCODE and value PU00

- SU56 -> other user using the user's name and object S_TCODE. Search for value PU00 or any wildcards that match this transaction code (*, P*, ...)

Brent

Go to solution
Former Member

‎11-26-2013 4:17 PM

0 Kudos

Hi All,

I have created the test users via Secatt script and after creation I did not validate the test users roles, by mistake secatt has assigned same role  to all the user, which caused the issue.

Thanks for your interest and responses. I am closing this thread.

Regards,

Krishna R