11-13-2015 12:13 PM
Dear All,
Does anybody know a way to restrict what programs can be released/executed from transaction SM35.
When I run a trace I find the below:
User | Program Name | Check | Result | Object | Field 1 | Value 1 | Field 2 | Value 2 |
user01 | SAPMSBDC_CC | 0 | S_BDC_MONI | BDCAKTI | ABTC | BDCGROUPID | POSITION | |
user01 | SAPMSBDC_CC | 0 | S_BDC_MONI | BDCAKTI | ABTC | BDCGROUPID | POSITION | |
user01 | SAPLBTCH | 0 | S_BTCH_ADM | BTCADMIN | Y | |||
user01 | SAPLBTCH | 0 | S_BTCH_JOB | JOBACTION | RELE | JOBGROUP | ' ' | |
user01 | SAPLBTCH | 0 | S_BTCH_JOB | JOBACTION | RELE | JOBGROUP | ' ' | |
user01 | SAPLBTCH | 0 | S_BTCH_JOB | JOBACTION | RELE | JOBGROUP | ' ' | |
user01 | SAPLSPOR | user11 | 0 | S_SPO_DEV | SPODEVICE | LOCL | ||
user01 | SAPLBTCH | 0 | S_BTCH_JOB | JOBACTION | RELE | JOBGROUP | ' ' | |
user01 | SAPLBTCH | 0 | S_BTCH_ADM | BTCADMIN | Y | |||
user01 | SAPLBTCH | 0 | S_BTCH_JOB | JOBACTION | RELE | JOBGROUP | ' ' | |
user01 | SAPLBTCH | 0 | S_BTCH_NAM | BTCUNAME | UK05195 | |||
user01 | SAPLBTCH | 0 | S_BTCH_JOB | JOBACTION | RELE | JOBGROUP | ' ' | |
user01 | SAPLBTCH | 0 | S_BTCH_JOB | JOBACTION | RELE | JOBGROUP | ' ' | |
user01 | SAPLBTCH | 0 | S_BTCH_JOB | JOBACTION | RELE | JOBGROUP | ' ' | |
user01 | SAPLBTCH | 0 | S_BTCH_JOB | JOBACTION | RELE | JOBGROUP | ' ' |
11-16-2015 11:50 AM
Check the table USOBT_C, under the object S_Program
Look for Look for field name "P_ACTION" and value
In the name field you can see "Program, transaction or function module name"
So you can restrict by "Authorization group ABAP/4 program" and not giving value "BTCSUBMIT" under field "User action ABAP/4 program"
Here "Authorization group ABAP/4" is the value in "P_ACTION" in the table USOBT_C.
Please let me know if you need more info
Cheers
Pavan M
11-13-2015 2:14 PM
I restrict SM35 by session name. The users who get the role access are limited by session name.
11-16-2015 7:22 AM
That can be controlled at transnational level by S_PROGRAM for auth object for restricting tcode to be executed and thus restricting it to be run as a batch
11-16-2015 11:50 AM
Check the table USOBT_C, under the object S_Program
Look for Look for field name "P_ACTION" and value
In the name field you can see "Program, transaction or function module name"
So you can restrict by "Authorization group ABAP/4 program" and not giving value "BTCSUBMIT" under field "User action ABAP/4 program"
Here "Authorization group ABAP/4" is the value in "P_ACTION" in the table USOBT_C.
Please let me know if you need more info
Cheers
Pavan M
11-16-2015 1:38 PM
Hi Pavan,
I'm not sure I follow.
Are you suggesting I add object S_PROGRAM to the role?
11-16-2015 8:51 PM
Luckily Pavan's answers are far enough off the mark that it is clear not to spend much to "try it and see if it works". So I will not reject them as they document his fall progress.
The trick with this is that programs can generate the sessions, so they can control the session names in S_BDC_MONI if you have a convention for them. That is the good news.
Down sides are that if you did not have a convention from the beginning, then it is hard to retro fit. Also the authorization fields follow the ASCII character set from left to right so you need to decide between module first or org. unit first in some cases. Some standard programs are hardcoded but you can SU24 them "out of sight" but others generate numbers even or use a date....
However possibly you meant restricting the program which generates the batch input file which is processed in SM35. That is IMO more critical and object S_DATASET is your weapon here (it has a field for the program name - restrict to it's capability via the code and the auths for the program name) and then use tcode FILE to create logical file paths. These checks are in the SAP kernel of the ABAP commands so you do not even need to code them yourself necessarily. Go for the program name in this case as a first resort (in that sense Pavan is almost correct and pinned the tail just left of the where the kernel checks the program name).
Cheers,
Julius
11-17-2015 10:12 AM
12-07-2015 1:45 PM
11-16-2015 12:00 PM
Use authorization object 'S_BDC_MONI'. Check Docu in trx SU21 for further details.
11-16-2015 1:41 PM
11-16-2015 2:03 PM
Authorization for trx SM35 can be restricted with authorization object S_BDC_MONI as below:
1. The name of the session
User can only processing the sessions start with names authorized for.
2. The activity in a session (program name doesn't matter)
ABTC: Pass on sessions to background processing
ANAL: Analyze sessions and logs
AONL: Process sessions in dialog mode
DELE: Delete sessions
EXPO: Export sessions
FREE: Release sessions
IMPO: Import sessions
LOCK: Lock and release sessions
REOG: Reorganize sessions and logs