Solved: How can Assign SE38 for one program only

Former Member · ‎12-27-2007

HR User runs RSCALCU0 program everytime she runs

the payroll.

How can I give SE38 access for one program?

So far I know, program access works with Auth Group of Program. I could not find the Auth Group of this program since

this is a SAP Default program.

Please advise.

From

PT.

Former Member · ‎12-27-2007

>

> How can I give SE38 access for one program?

Only by protecting all the others without an authorization group, isolating this one and ensuring that the user(s) only have this one S_PROGRAM P_GROUP value with a P_ACTION of SUBMIT.

A more commonly accepted approach is to create a report type transaction code (in SE93) or find an existing SAP tcode (do a where-used-list search on the report from SE38) and grant that transaction to the user(s). Check whether a standard transaction found submits the report with a variant!

The user will require the tcode, the S_PROGRAM group and other application authorizations which it checks, but not SE38 or (for example) START_REPORT etc etc...

You can see the authorization group on a report (including SAP defaults) from transaction SE38 => Attributes AND using report RSCSAUTH.

See [this thread|; and others searching for "RSCSAUTH" for further details.

Cheers,

Julius

Former Member · ‎12-27-2007

Hi Pranav,

we can restrict authorization to programs using authorization groups.But since many of the SAP programs are not assgined to any authorization groups the users can execute all these programs if they have access to SE38.

So the best solution is to create a custom transaction code using the T-Code SE93 for the program you want to secure and then assign the custom T-Code to the role.

Thanks.

Edited by: Narsing A on Dec 27, 2007 10:02 PM

Former Member · ‎12-27-2007

>

> How can I give SE38 access for one program?

Only by protecting all the others without an authorization group, isolating this one and ensuring that the user(s) only have this one S_PROGRAM P_GROUP value with a P_ACTION of SUBMIT.

A more commonly accepted approach is to create a report type transaction code (in SE93) or find an existing SAP tcode (do a where-used-list search on the report from SE38) and grant that transaction to the user(s). Check whether a standard transaction found submits the report with a variant!

The user will require the tcode, the S_PROGRAM group and other application authorizations which it checks, but not SE38 or (for example) START_REPORT etc etc...

You can see the authorization group on a report (including SAP defaults) from transaction SE38 => Attributes AND using report RSCSAUTH.

See [this thread|; and others searching for "RSCSAUTH" for further details.

Cheers,

Julius

Former Member · ‎12-28-2007

Thanks for the help.

I think finding the transaction and assigning the transaction does make more sense.

From

PT.

Former Member · ‎12-28-2007

Note that if you have a report transaction and the report has an authorization group on it, then you will still need to maintain S_PROGRAM with a SUBMIT OR VARIANT action for the user to be able to run the transaction (+ other application objects checked by the program).

This is usefull to limit the user to only one entry point into the group of programs to submit only one of them, although they are authorized to submit them all (in the group(s)). A danger which lurkes in this, is that the authorization objects behind the tcode can become neglected and granted too broadly, as the assumption that the tcode will protect the use of the programs does not always hold true, and crumbles quite quickly when the user has (naughty) intentions.

If something is dear to you (like payroll ), then it is advisable to protect it using a check which does not care how the user gets to run the code. If everything is dear to you, then it might be advsiable to place a minimum protection on all code. See [principle of least privilege|http://en.wikipedia.org/wiki/Principle_of_least_privilege] for some interesting reading / debate.

Cheers,

Julius