Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Restricting SM35 by Program Name

Go to solution
former_member196034
Participant

‎11-13-2015 12:13 PM

0 Kudos

Dear All,

Does anybody know a way to restrict what programs can be released/executed from transaction SM35.

When I run a trace I find the below:

UserProgram NameCheckResultObjectField 1Value 1Field 2Value 2
user01SAPMSBDC_CC0S_BDC_MONIBDCAKTIABTCBDCGROUPIDPOSITION
user01SAPMSBDC_CC0S_BDC_MONIBDCAKTIABTCBDCGROUPIDPOSITION
user01SAPLBTCH0S_BTCH_ADMBTCADMINY
user01SAPLBTCH0S_BTCH_JOBJOBACTIONRELEJOBGROUP' '
user01SAPLBTCH0S_BTCH_JOBJOBACTIONRELEJOBGROUP' '
user01SAPLBTCH0S_BTCH_JOBJOBACTIONRELEJOBGROUP' '
user01SAPLSPORuser110S_SPO_DEVSPODEVICELOCL
user01SAPLBTCH0S_BTCH_JOBJOBACTIONRELEJOBGROUP' '
user01SAPLBTCH0S_BTCH_ADMBTCADMINY
user01SAPLBTCH0S_BTCH_JOBJOBACTIONRELEJOBGROUP' '
user01SAPLBTCH0S_BTCH_NAMBTCUNAMEUK05195
user01SAPLBTCH0S_BTCH_JOBJOBACTIONRELEJOBGROUP' '
user01SAPLBTCH0S_BTCH_JOBJOBACTIONRELEJOBGROUP' '
user01SAPLBTCH0S_BTCH_JOBJOBACTIONRELEJOBGROUP' '
user01SAPLBTCH0S_BTCH_JOBJOBACTIONRELEJOBGROUP' '
1 ACCEPTED SOLUTION

Go to solution
Former Member

‎11-16-2015 11:50 AM

0 Kudos

Check the table USOBT_C, under the object S_Program

Look for Look for field name "P_ACTION" and value

In the name field you can see "Program, transaction or function module name"

So you can restrict by "Authorization group ABAP/4 program" and not giving value "BTCSUBMIT" under field "User action ABAP/4 program"

Here "Authorization group ABAP/4" is the value in "P_ACTION" in the table USOBT_C.

Please let me know if you need more info

Cheers

Pavan M

10 REPLIES 10

Go to solution
justin_dauby1
Explorer

‎11-13-2015 2:14 PM

0 Kudos

I restrict SM35 by session name. The users who get the role access are limited by session name.

Go to solution
abhishek_sehgal
Explorer
In response to justin_dauby1

‎11-16-2015 7:22 AM

0 Kudos

That can be controlled at transnational level by S_PROGRAM for auth object for restricting tcode to be executed and thus restricting it to be run as a batch

Go to solution
Former Member

‎11-16-2015 11:50 AM

0 Kudos

Check the table USOBT_C, under the object S_Program

Look for Look for field name "P_ACTION" and value

In the name field you can see "Program, transaction or function module name"

So you can restrict by "Authorization group ABAP/4 program" and not giving value "BTCSUBMIT" under field "User action ABAP/4 program"

Here "Authorization group ABAP/4" is the value in "P_ACTION" in the table USOBT_C.

Please let me know if you need more info

Cheers

Pavan M

Go to solution
former_member196034
Participant
In response to Former Member

‎11-16-2015 1:38 PM

0 Kudos

Hi Pavan,

I'm not sure I follow.

Are you suggesting I add object S_PROGRAM to the role?

Go to solution
Former Member
In response to Former Member

‎11-16-2015 8:51 PM

0 Kudos

Luckily Pavan's answers are far enough off the mark that it is clear not to spend much to "try it and see if it works". So I will not reject them as they document his fall progress.

The trick with this is that programs can generate the sessions, so they can control the session names in S_BDC_MONI if you have a convention for them. That is the good news.

Down sides are that if you did not have a convention from the beginning, then it is hard to retro fit. Also the authorization fields follow the ASCII character set from left to right so you need to decide between module first or org. unit first in some cases. Some standard programs are hardcoded but you can SU24 them "out of sight" but others generate numbers even or use a date....

However possibly you meant restricting the program which generates the batch input file which is processed in SM35. That is IMO more critical and object S_DATASET is your weapon here (it has a field for the program name - restrict to it's capability via the code and the auths for the program name) and then use tcode FILE to create logical file paths. These checks are in the SAP kernel of the ABAP commands so you do not even need to code them yourself necessarily. Go for the program name in this case as a first resort (in that sense Pavan is almost correct and pinned the tail just left of the where the kernel checks the program name).

Cheers,

Julius

Go to solution
Former Member
In response to Former Member

‎11-17-2015 10:12 AM

0 Kudos

yes please

Go to solution
former_member196034
Participant
In response to Former Member

‎12-07-2015 1:45 PM

0 Kudos

thanks for your help Julius.

Go to solution
michael_kozlowski
Active Contributor

‎11-16-2015 12:00 PM

0 Kudos

Use authorization object 'S_BDC_MONI'. Check Docu in trx SU21 for further details.

Go to solution
former_member196034
Participant
In response to michael_kozlowski

‎11-16-2015 1:41 PM

0 Kudos

Hi Michael,

how does this restrict which programs can be run?

Go to solution
michael_kozlowski
Active Contributor
In response to michael_kozlowski

‎11-16-2015 2:03 PM

0 Kudos

Authorization for trx SM35 can be restricted with authorization object S_BDC_MONI as below:

1. The name of the session

User can only processing the sessions start with names authorized for.

2. The activity in a session (program name doesn't matter)

ABTC: Pass on sessions to background processing

ANAL: Analyze sessions and logs

AONL: Process sessions in dialog mode

DELE: Delete sessions

EXPO: Export sessions

FREE: Release sessions

IMPO: Import sessions

LOCK: Lock and release sessions

REOG: Reorganize sessions and logs