Solved: block tcode

Former Member · ‎05-31-2007

hi,

apart from sm01 Is there any other tcode to block a tcode globally...

Reg'

Zeemaaa...

Former Member · ‎05-31-2007

Hi vijay,

Removing the tcode from the users is a start, but you seem to be referring that locking a transaction in SM01 does not prevent a user from using it, because they could either submit it if it is a report transaction or simply enter it if it is a variable in a program.

What you can do, is place a call to FM AUTHORITY_CHECK_TCODE upfront in your program and ensure that it does not have any deactivated OKFLAG couple in SE97.

But that is not 100% bullet-proof either, because the user might find other transactions or reports which access the same functionality either redundantly (coded) or using a common method or function module, or even maintain the local interface of the function module itself before executing it, or debugging the return code etc. As a user's access gets stronger and wider, the control value of S_TCODE reduces rapidly.

The most sure way I can think of locking down a transaction "globally", is to find the lowest common but exclusive denominator(s) of access which is required for any access to the functionality which that transaction provides, no matter how the user gets to it, and remove that from the roles assigned to any user.

Sometimes looking at what the transaction's corresponding BAPI checks can be helpfull for finding the common and exclusively checked field. This might also not be 100% bullet-proof but at least consistent with the rest of the SAP authorization concept and therefore more sustainable.

Hope that helps (interesting question!),

Julius

Former Member · ‎05-31-2007

NO I Suppose

Former Member · ‎05-31-2007

Hi vijay,

Removing the tcode from the users is a start, but you seem to be referring that locking a transaction in SM01 does not prevent a user from using it, because they could either submit it if it is a report transaction or simply enter it if it is a variable in a program.

What you can do, is place a call to FM AUTHORITY_CHECK_TCODE upfront in your program and ensure that it does not have any deactivated OKFLAG couple in SE97.

But that is not 100% bullet-proof either, because the user might find other transactions or reports which access the same functionality either redundantly (coded) or using a common method or function module, or even maintain the local interface of the function module itself before executing it, or debugging the return code etc. As a user's access gets stronger and wider, the control value of S_TCODE reduces rapidly.

The most sure way I can think of locking down a transaction "globally", is to find the lowest common but exclusive denominator(s) of access which is required for any access to the functionality which that transaction provides, no matter how the user gets to it, and remove that from the roles assigned to any user.

Sometimes looking at what the transaction's corresponding BAPI checks can be helpfull for finding the common and exclusively checked field. This might also not be 100% bullet-proof but at least consistent with the rest of the SAP authorization concept and therefore more sustainable.

Hope that helps (interesting question!),

Julius

Former Member · ‎06-01-2007

Hi Vijay,

I suppose there are no other tcode than SM01 to block tcodes. SAP provide SM01 to block tcodes that even super user can't use it.

points appreciated.

ardhian

Former Member · ‎06-01-2007

Hello,

Other than SM01 which is sap provided to block a tcode ,Tcode can be also be blocked by writing a small piece of code in the program(if the tcode to be blocked is a custom one).

Regards,

Sowmya.

Former Member · ‎06-01-2007

well, yeahh there's a workaround.

what you can do is you can block a transaction code by creating a dummy role using Authorization object "S_TCODE".

You can use this same object on all clients.

Please reward points if Useful please.

Regards,