Identification of Manual Transactions

Former Member · ‎01-03-2008

Hi,

Happy New Year to all of you !

1. How can i identify all the roles that have a manual insertions of authorisations?

2. What would be the ideal or SAP best practice steps to convert this to the "normal" role.

Thanks!

jurjen_heeck · ‎01-03-2008

>

> 1. How can i identify all the roles that have a manual insertions of authorisations?

I suggest table AGR_1251. Selection criteria:

AGR_NAME: role(s) to check

OBJECT: S_TCODE

MODIFIED: U

DELETED: does not equal X

> 2. What would be the ideal or SAP best practice steps to convert this to the "normal" role.

I don't know about best practice but advise you to copy the original roles to temporary ones for reference before you add the missing transactions to the menu and regenerate the profiles. That way you still have the original authorization objects and values for a comparison.

Jurjen

Former Member · ‎01-03-2008

Again in the second parameter ' role(s) to check...we need to give the role name !! this is what we need to determine !

jurjen_heeck · ‎01-03-2008

>

> Again in the second parameter ' role(s) to check...we need to give the role name !! this is what we need to determine !

Well, leave it empty and see what happens.....

I mentioned this field because it can help you narrow your search.

For instance, if all your single roles begin with Z, enter Z* in this field . That way the query will not return the SAP standard roles....

HTH

Jurjen

Former Member · ‎01-04-2008

Noramlly in the field S_TCODE only TRX should be added manual that you do not want the user to be able to access directly (so also not visible through the menu). Thus are so called follow on trx. These are TRX that the user accesses via an other (entry) trx.

jurjen_heeck · ‎01-04-2008

>

> Noramlly in the field S_TCODE only TRX should be added manual that you do not want the user to be able to access directly

Auke,

How would one not be able to start a transaction one is authorized for? Hiding it from the menu will not secure it.....

As far as I know the follow-on-trx or "called transactions" are treated in a different manner but surely not by manualling adding them to S_TCODE...

What am I missing here?

Jurjen

Former Member · ‎01-04-2008

Jurjen

basically you are right, but in a large part of the OLD Abap code there are a lot of errors that have not been solved. In those cases when the user is directed to an other ABAP (read other TRX) the S_Tcode object is being checked (hard coded in the abap) so in these situations that users needs access to that T-code also, However in such situations the data accessible is determined by the start trx and for that reason we do not want users to know that they have acees to teh TRX. as they might see to much data.

I agree that users are not secured against avccess to trx , but luckily most users do not even know that they are in an other TRX! To see how much situations this applies to search SAP notes on follow on trx.

For instance in MM there are plenty. Especially when comming from PM TRX

Former Member · ‎01-04-2008

Hi,

If you want to know more which transaction calls others or is called by others look into transaction SE97, you can also manipulate it there. The table is TCDCOUPLES you can use transaction SE16 to look into this.

Look also in the profile generator at tab menu option Authorization default, you can add transactions there which the user will no be able to see in the user menu, but the profile generater gives you the defaults.

Have fun

Jan van Roest