03-18-2008 6:28 AM
Hello all,
How can i restrict SPRO after adopting SAP_ALL in to a role.
I was asked to work on a scenario only to restrict SPRO from
SAP EASY ACCESS MENU.
Please see if ny one can give me descriptive procedure.
Best Regards,
Rahul.
03-18-2008 6:38 AM
03-18-2008 6:38 AM
03-19-2008 6:34 AM
Dear all,
I actually resolved it restricitng SPRO from easy access menu
Initially i created role Z*****
then Authorization tab .
Change authorizatin data
Adopt SAP_ALL
then got to find & find the object S_TCODE
expand it
click on change button
In S_TCODE delete *
From A* to R*
next line S* & press F4 select all the transactons starting with S & uncheck SPRO
next T* to Z*
save it close Generate role & compare it.
Cheers,
Rahul.,
03-19-2008 7:14 AM
04-24-2008 3:46 AM
Hi All,
There is a simple way to block SPRO in any role.
Just follow these steps:
(1) Create a role in PFCG and save it.
(2) Go to authorizations tab and select 'expert mode'.
(3) Select SAP_ALL template and click 'adopt reference'.
(4) Save, generate, then find S_TCODE object and change values to 0-SPRN, SPRP-Z
(5)Save, generate again.
If you are trying to block in an existing role then follow from step no - 4
Reply me if it is helpful....
Regards
Malay
04-24-2008 7:45 AM
And how does removing spro from S_TCODE block all underlying programs?
You guys are only locking the front door but leaving all windows open!
Do a search on S_DEVELOP in the forums to see the #1 security backdoor you've left open.
You'll seriously have to go by all objects in the BC* object classes. (at least)
04-24-2008 6:06 PM
Guys - listen to Jurjen!
Remove SPRO but you still have everyone being able to run the config transactions - like those beginning with O* for example.
I'm feeling cheesy today so.........when you build a house do you carve it out of 1 block of stone until you have something useful (modifying SAP_ALL) or build it from it's component parts until you have something you want?
04-25-2008 7:56 AM
>
> when you build a house do you carve it out of 1 block of stone until you have something useful (modifying SAP_ALL) or build it from it's component parts until you have something you want?
Nicely put!
If your only house-knowledge is a rough idea about the size and shape the first option still is tempting