09-13-2007 8:10 AM
Dear SAP security experts,
I created a Role SAP_ALL_DISPLAY inherited from SAP_ALL profile. I made sure that ACTVT is 03 for all areas. But still it is allowing for some Tcodes like below :
RSA6 -- It is allowing to delete, change, create ...extractors. This is very dangeours
SM37 -- It is allowing to delete BG jobs..etc
.....some more I did not know...dont have time to check.
tcodes like RSA1...SCC*..SPRO... are OK. If finger the check indicators in SU24 for the above tcodes(RSA6,SM37..), what are the bad consequences?. How to fix this in an easy way?
Thank you very much
09-13-2007 8:30 AM
Hi,
There is no easy way. What you can do is see to it that authorization object s_tabu_dis (actvt 03)has no update at all, this controls the update to the data base. If you have doubt about a transaction, just try it out with the trace on (ST01). Is there not a SAP_ALL_DISPLAY profile from which you can create a role, it is in R/3.
Have fun
Jan van Roest
09-13-2007 8:30 AM
Hi,
There is no easy way. What you can do is see to it that authorization object s_tabu_dis (actvt 03)has no update at all, this controls the update to the data base. If you have doubt about a transaction, just try it out with the trace on (ST01). Is there not a SAP_ALL_DISPLAY profile from which you can create a role, it is in R/3.
Have fun
Jan van Roest
09-13-2007 10:04 AM
Hi,
This is a BI70 system which doesnt have SAP_ALL_DISPLAY
Manually Table Maintenance (via standard tools such as SM30) - S_TABU_DIS
Activity 03 ACTVT
Authorization Group * DICBER
The above has (03-Display only) -
object s_tabu_dis (actvt 03)has no update at all --> Where to check for update and remove the access? - the CTRL+F search gives only the above display in PFCG
Thanks
09-13-2007 11:24 AM
Solution is simple take away TRX Sm30 and SM31. Never use * for S_Tcode as this is giving you a lot of problems. Besides never give debug and be very carefull not to give SE16 or Se16N directly ONLY allow tabel access via a custum TRX ( Copy of Se16 limited to one specific table only)
09-13-2007 9:29 AM
make sure all of your S_* objects do not allow any update access
It sounds like you have still got S_BTCH_ADM=Y or * for the access to SM37
There is a fair bit more work in creating a SAP_ALL_DISPLAY role than just changing activities to 03
09-14-2007 10:02 AM
I guess this needs to be created as an FAQ
- There is no such thing as SAP_ALL_DISPLAY
- Proposal: create a "display only" role for each functional area in your organisation, i.e. something you could give to every employee working in that area.
- There are LOTS of transactions that couldn't care less about what you put in ACTVT!
- There are display transactions that you do not want to give to people (confidentiality)
- Furthermore, check for ACTVT might be deactivated in SU24
In a nutshell: don't do that. Find out what the exact requirements for that role are, and create it like that. The way you do it now will have many more backdoors than you will ever be able to fix. How are you going to control/audit misuse?
Alternatively: look at SAP GRC Access Controls and evaluate the FireFighter application - this might help.
Sorry, no easy answer here.
Frank.