03-21-2007 8:03 AM
How can I grant a profile to a user with the profile SAP_ALL except running the transaction code SU01?
I know how to lock the transaction code using SM01 but is there any other way to do it.
03-21-2007 9:05 AM
Hi,
you can customize a role via pfcg or rsecadmin by copy of SAP_ALL = ZSAP_ALL.
You change the Zrole by
- Change object S_TCODE from classe AAAB,
- Change object P_TCODE from classe HR
hope it helps
03-21-2007 9:06 AM
SM01 or you made a copy from the profile SAP_ALL to Z:SAP_ALL and delete
the * in the Object S_TCODE - change this to
0* to 9* and
A* to SU00* and
SU03* to Z*
03-21-2007 6:14 PM
Hi,
One option you can try will be
giving the range as mentioned above for S_TCODE but there are other tcodes which give the access to SU01 one example being OIBB.
My suggestion would be to inactivate the object S_USER_GRP.
So that he will not have access to SU01 as SU01 requires this object for sure to display screen even if it has SU01 in S_TCODE.
(the reason being TSTCA table entry for SU01)
Try this it will surely not give access to SU01 even he has the access to Tcode.
Let me know if it helps.
cheers,
Manohar
03-21-2007 10:53 PM
As Manohar suggested, you need to restrict this at object level too. Removing SU01 is not sufficient to prevent people from user maintenance - take a look at some of the OY* transactions for example. There is at least one which will take you to user maintenance.
The problem with modifying SAP_ALL is that by the nature of the profile, you are still giving enough access to circumvate the restriction that you put in place if you are not very careful
03-22-2007 7:20 AM
Go to S_TCODE
Double click on it and give the combinations like A* - X*
SU00
SU02 - Z*
Try this one definately it will work.
03-23-2007 9:31 AM
You can restrict SAP_ALL whatever you like, but if you still have debug&replace authorization (S_DEVELOP) you can bypass everything. And there are more ways to get around SU01-restriction...
03-23-2007 1:30 PM
I agree. it is not feasible to grant people access to a copy of SAP_ALL and remove the reference to the S_TCODE SU01. There are quite a few other parameter tcodes that simply launch/bypass SU01. Also PFCG, SU10, S_DEVELOP all allow you to do the same thing. There are too many ways to perform user maintenance.
Just find out what transactions the people need and give it to them. No one needs SAP_ALL anyway. I'd be surprised if anyones says that they need more than 200 tcodes.
05-03-2007 4:09 PM
And there is even further reason not to restrict on TCODE only. The following transactions are identical copies of SU01 and will still work when you have put a restriction in place for SU01:
GCE1
OY30
OY29
OY28
OY27
OY22
OVZ5
OTZ1
OPF0
OMWF
OMEH
OMDL
Kind regards,
Lodewijk
05-08-2007 10:07 PM
Hi,
You can inactivate or make display only the below objects - but everytime you regenrate SAP_ALL you need to do this again.
S_USER_GRP
S_USER_AUT
S_USER_PRO
This will allow user to view SU01 but cannot update
Thanks
Anands