05-31-2007 11:08 AM
hi,
apart from sm01 Is there any other tcode to block a tcode globally...
Reg'
Zeemaaa...
05-31-2007 1:08 PM
Hi vijay,
Removing the tcode from the users is a start, but you seem to be referring that locking a transaction in SM01 does not prevent a user from using it, because they could either submit it if it is a report transaction or simply enter it if it is a variable in a program.
What you can do, is place a call to FM AUTHORITY_CHECK_TCODE upfront in your program and ensure that it does not have any deactivated OKFLAG couple in SE97.
But that is not 100% bullet-proof either, because the user might find other transactions or reports which access the same functionality either redundantly (coded) or using a common method or function module, or even maintain the local interface of the function module itself before executing it, or debugging the return code etc. As a user's access gets stronger and wider, the control value of S_TCODE reduces rapidly.
The most sure way I can think of locking down a transaction "globally", is to find the lowest common but exclusive denominator(s) of access which is required for any access to the functionality which that transaction provides, no matter how the user gets to it, and remove that from the roles assigned to any user.
Sometimes looking at what the transaction's corresponding BAPI checks can be helpfull for finding the common and exclusively checked field. This might also not be 100% bullet-proof but at least consistent with the rest of the SAP authorization concept and therefore more sustainable.
Hope that helps (interesting question!),
Julius
05-31-2007 11:48 AM
05-31-2007 1:08 PM
Hi vijay,
Removing the tcode from the users is a start, but you seem to be referring that locking a transaction in SM01 does not prevent a user from using it, because they could either submit it if it is a report transaction or simply enter it if it is a variable in a program.
What you can do, is place a call to FM AUTHORITY_CHECK_TCODE upfront in your program and ensure that it does not have any deactivated OKFLAG couple in SE97.
But that is not 100% bullet-proof either, because the user might find other transactions or reports which access the same functionality either redundantly (coded) or using a common method or function module, or even maintain the local interface of the function module itself before executing it, or debugging the return code etc. As a user's access gets stronger and wider, the control value of S_TCODE reduces rapidly.
The most sure way I can think of locking down a transaction "globally", is to find the lowest common but exclusive denominator(s) of access which is required for any access to the functionality which that transaction provides, no matter how the user gets to it, and remove that from the roles assigned to any user.
Sometimes looking at what the transaction's corresponding BAPI checks can be helpfull for finding the common and exclusively checked field. This might also not be 100% bullet-proof but at least consistent with the rest of the SAP authorization concept and therefore more sustainable.
Hope that helps (interesting question!),
Julius
06-01-2007 4:08 AM
06-01-2007 4:37 AM
Hello,
Other than SM01 which is sap provided to block a tcode ,Tcode can be also be blocked by writing a small piece of code in the program(if the tcode to be blocked is a custom one).
Regards,
Sowmya.
06-01-2007 10:12 AM
well, yeahh there's a workaround.
what you can do is you can block a transaction code by creating a dummy role using Authorization object "S_TCODE".
You can use this same object on all clients.
Please reward points if Useful please.
Regards,