01-03-2008 5:21 PM
Hi,
Happy New Year to all of you !
1. How can i identify all the roles that have a manual insertions of authorisations?
2. What would be the ideal or SAP best practice steps to convert this to the "normal" role.
Thanks!
01-03-2008 5:49 PM
>
> 1. How can i identify all the roles that have a manual insertions of authorisations?
I suggest table AGR_1251. Selection criteria:
AGR_NAME: role(s) to check
OBJECT: S_TCODE
MODIFIED: U
DELETED: does not equal X
> 2. What would be the ideal or SAP best practice steps to convert this to the "normal" role.
I don't know about best practice but advise you to copy the original roles to temporary ones for reference before you add the missing transactions to the menu and regenerate the profiles. That way you still have the original authorization objects and values for a comparison.
Jurjen
01-03-2008 8:32 PM
Again in the second parameter ' role(s) to check...we need to give the role name !! this is what we need to determine !
01-03-2008 8:36 PM
>
> Again in the second parameter ' role(s) to check...we need to give the role name !! this is what we need to determine !
Well, leave it empty and see what happens.....
I mentioned this field because it can help you narrow your search.
For instance, if all your single roles begin with Z, enter Z* in this field . That way the query will not return the SAP standard roles....
HTH
Jurjen
01-04-2008 8:28 AM
Noramlly in the field S_TCODE only TRX should be added manual that you do not want the user to be able to access directly (so also not visible through the menu). Thus are so called follow on trx. These are TRX that the user accesses via an other (entry) trx.
01-04-2008 9:08 AM
>
> Noramlly in the field S_TCODE only TRX should be added manual that you do not want the user to be able to access directly
Auke,
How would one not be able to start a transaction one is authorized for? Hiding it from the menu will not secure it.....
As far as I know the follow-on-trx or "called transactions" are treated in a different manner but surely not by manualling adding them to S_TCODE...
What am I missing here?
Jurjen
01-04-2008 9:59 AM
Jurjen
basically you are right, but in a large part of the OLD Abap code there are a lot of errors that have not been solved. In those cases when the user is directed to an other ABAP (read other TRX) the S_Tcode object is being checked (hard coded in the abap) so in these situations that users needs access to that T-code also, However in such situations the data accessible is determined by the start trx and for that reason we do not want users to know that they have acees to teh TRX. as they might see to much data.
I agree that users are not secured against avccess to trx , but luckily most users do not even know that they are in an other TRX! To see how much situations this applies to search SAP notes on follow on trx.
For instance in MM there are plenty. Especially when comming from PM TRX
01-04-2008 2:27 PM
Hi,
If you want to know more which transaction calls others or is called by others look into transaction SE97, you can also manipulate it there. The table is TCDCOUPLES you can use transaction SE16 to look into this.
Look also in the profile generator at tab menu option Authorization default, you can add transactions there which the user will no be able to see in the user menu, but the profile generater gives you the defaults.
Have fun
Jan van Roest