Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to restrict a user from using the transaction code SU01?

Former Member

‎03-21-2007 8:03 AM

0 Kudos

How can I grant a profile to a user with the profile SAP_ALL except running the transaction code SU01?

I know how to lock the transaction code using SM01 but is there any other way to do it.

9 REPLIES 9

Former Member

‎03-21-2007 9:05 AM

0 Kudos

Hi,

you can customize a role via pfcg or rsecadmin by copy of SAP_ALL = ZSAP_ALL.

You change the Zrole by

- Change object S_TCODE from classe AAAB,

- Change object P_TCODE from classe HR

hope it helps

Thomas_Berger
Participant

‎03-21-2007 9:06 AM

0 Kudos

SM01 or you made a copy from the profile SAP_ALL to Z:SAP_ALL and delete

the * in the Object S_TCODE - change this to

0* to 9* and

A* to SU00* and

SU03* to Z*

manohar_kappala2
Contributor

‎03-21-2007 6:14 PM

0 Kudos

Hi,

One option you can try will be

giving the range as mentioned above for S_TCODE but there are other tcodes which give the access to SU01 one example being OIBB.

My suggestion would be to inactivate the object S_USER_GRP.

So that he will not have access to SU01 as SU01 requires this object for sure to display screen even if it has SU01 in S_TCODE.

(the reason being TSTCA table entry for SU01)

Try this it will surely not give access to SU01 even he has the access to Tcode.

Let me know if it helps.

cheers,

Manohar

Former Member

‎03-21-2007 10:53 PM

0 Kudos

As Manohar suggested, you need to restrict this at object level too. Removing SU01 is not sufficient to prevent people from user maintenance - take a look at some of the OY* transactions for example. There is at least one which will take you to user maintenance.

The problem with modifying SAP_ALL is that by the nature of the profile, you are still giving enough access to circumvate the restriction that you put in place if you are not very careful

Former Member

‎03-22-2007 7:20 AM

0 Kudos

Go to S_TCODE

Double click on it and give the combinations like A* - X*

SU00

SU02 - Z*

Try this one definately it will work.

l_borsboom
Active Participant

‎03-23-2007 9:31 AM

0 Kudos

You can restrict SAP_ALL whatever you like, but if you still have debug&replace authorization (S_DEVELOP) you can bypass everything. And there are more ways to get around SU01-restriction...

Former Member
In response to l_borsboom

‎03-23-2007 1:30 PM

0 Kudos

I agree. it is not feasible to grant people access to a copy of SAP_ALL and remove the reference to the S_TCODE SU01. There are quite a few other parameter tcodes that simply launch/bypass SU01. Also PFCG, SU10, S_DEVELOP all allow you to do the same thing. There are too many ways to perform user maintenance.

Just find out what transactions the people need and give it to them. No one needs SAP_ALL anyway. I'd be surprised if anyones says that they need more than 200 tcodes.

l_borsboom
Active Participant
In response to l_borsboom

‎05-03-2007 4:09 PM

0 Kudos

And there is even further reason not to restrict on TCODE only. The following transactions are identical copies of SU01 and will still work when you have put a restriction in place for SU01:

GCE1

OY30

OY29

OY28

OY27

OY22

OVZ5

OTZ1

OPF0

OMWF

OMEH

OMDL

Kind regards,

Lodewijk

Former Member
In response to l_borsboom

‎05-08-2007 10:07 PM

0 Kudos

Hi,

You can inactivate or make display only the below objects - but everytime you regenrate SAP_ALL you need to do this again.

S_USER_GRP

S_USER_AUT

S_USER_PRO

This will allow user to view SU01 but cannot update

Thanks

Anands