Solved: Removing tcodes from menu Tab on Tcode Pfcg

Former Member · ‎07-16-2007

Hi

I am new on this site and is tasked with removing some critical tcodes from some users. This company has not seperated the object authorizations from the tocde authorizations and everything is in a mess.I need to remove some critical tcdes form the Roles, which has been configured.They are runnign 46C.I have no issue removing the tcodes fromt he authorization object s_tcode in the authorization Tab.The problem is that they have also added some tcodes in the menu tab,by doingit this way,it automatiically adds the authorization objects as well. If I remove the tcode from the menu tab in pfcg, it messes up the authorizations in the authorization tab and removes all links to the tcode. Is there a way I can just remove the tcode.In pfcg under authorizations tab under change mode , I cannot remove this,.I would have to de-activate all if the tcodes from the menu tab to remove any one tcode. I coudl de-activated all and then add the tcodes manually again with object s_stcode.Any help woudl be appreciated

Former Member · ‎07-16-2007

You should <i>not</i> separate the object and the tcode authorisations.

When you add a transaction into the menu tab, the authorisations tab is populated with the objects as defined in the USOB* tables which are maintained via SU24. That way, if you add a transaction, you can ensure that the right authorisation objects are pulled through.

It follows that when you remove a transaction, the authorisation objects required for it to run are also removed (unless manually entered or in Changed status). Removing a tcode and leaving the auth objects removed a key control that is provided by the authorisation object. You go from 2 level security (T-code + object) to potentially 1 level (T-code).

In your situation, if transactions are being removed when you remove them from the menu, that is because SU24 has not been configured to use them for any other transaction in your role menu. It sounds like that by adding transactions randomly in the role menu and S_TCODE, that your role has become totally out of sync. Your best bet would (in my opinion) be to create a new role by adding the transactions in the menu tab and populating the respective auth objects with the values required to fulfil the purpose of your role.

Former Member · ‎07-16-2007

You should <i>not</i> separate the object and the tcode authorisations.

When you add a transaction into the menu tab, the authorisations tab is populated with the objects as defined in the USOB* tables which are maintained via SU24. That way, if you add a transaction, you can ensure that the right authorisation objects are pulled through.

It follows that when you remove a transaction, the authorisation objects required for it to run are also removed (unless manually entered or in Changed status). Removing a tcode and leaving the auth objects removed a key control that is provided by the authorisation object. You go from 2 level security (T-code + object) to potentially 1 level (T-code).

In your situation, if transactions are being removed when you remove them from the menu, that is because SU24 has not been configured to use them for any other transaction in your role menu. It sounds like that by adding transactions randomly in the role menu and S_TCODE, that your role has become totally out of sync. Your best bet would (in my opinion) be to create a new role by adding the transactions in the menu tab and populating the respective auth objects with the values required to fulfil the purpose of your role.

Former Member · ‎07-16-2007

Hi Alex,

The explaination given by you is excellent.

It cannot be better than you have provided.

-Nandu More