Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to restrict only SPRO frpm SAP_ALL

Go to solution
Former Member

‎03-18-2008 6:28 AM

0 Kudos

Hello all,

How can i restrict SPRO after adopting SAP_ALL in to a role.

I was asked to work on a scenario only to restrict SPRO from

SAP EASY ACCESS MENU.

Please see if ny one can give me descriptive procedure.

Best Regards,

Rahul.

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎03-18-2008 6:38 AM

0 Kudos

Hello Rahul,

Please find the below link which is very helpful to u :

[]

Rgds,

Gadde.

7 REPLIES 7

Go to solution
Former Member

‎03-18-2008 6:38 AM

0 Kudos

Hello Rahul,

Please find the below link which is very helpful to u :

[]

Rgds,

Gadde.

Go to solution
Former Member

‎03-19-2008 6:34 AM

0 Kudos

Dear all,

I actually resolved it restricitng SPRO from easy access menu

Initially i created role Z*****

then Authorization tab .

Change authorizatin data

Adopt SAP_ALL

then got to find & find the object S_TCODE

expand it

click on change button

In S_TCODE delete *

From A* to R*

next line S* & press F4 select all the transactons starting with S & uncheck SPRO

next T* to Z*

save it close Generate role & compare it.

Cheers,

Rahul.,

Go to solution
former_member759680
Contributor
In response to Former Member

‎03-19-2008 7:14 AM

0 Kudos

Add 2 more line in S_TCODE

/*

0* to 9*

Go to solution
Former Member

‎04-24-2008 3:46 AM

0 Kudos

Hi All,

There is a simple way to block SPRO in any role.

Just follow these steps:

(1) Create a role in PFCG and save it.

(2) Go to authorizations tab and select 'expert mode'.

(3) Select SAP_ALL template and click 'adopt reference'.

(4) Save, generate, then find S_TCODE object and change values to 0-SPRN, SPRP-Z

(5)Save, generate again.

If you are trying to block in an existing role then follow from step no - 4

Reply me if it is helpful....

Regards

Malay

Go to solution
jurjen_heeck
Active Contributor
In response to Former Member

‎04-24-2008 7:45 AM

0 Kudos

And how does removing spro from S_TCODE block all underlying programs?

You guys are only locking the front door but leaving all windows open!

Do a search on S_DEVELOP in the forums to see the #1 security backdoor you've left open.

You'll seriously have to go by all objects in the BC* object classes. (at least)

Go to solution
Former Member
In response to Former Member

‎04-24-2008 6:06 PM

0 Kudos

Guys - listen to Jurjen!

Remove SPRO but you still have everyone being able to run the config transactions - like those beginning with O* for example.

I'm feeling cheesy today so.........when you build a house do you carve it out of 1 block of stone until you have something useful (modifying SAP_ALL) or build it from it's component parts until you have something you want?

Go to solution
jurjen_heeck
Active Contributor
In response to Former Member

‎04-25-2008 7:56 AM

0 Kudos

> 

> when you build a house do you carve it out of 1 block of stone until you have something useful (modifying SAP_ALL) or build it from it's component parts until you have something you want?

Nicely put!

If your only house-knowledge is a rough idea about the size and shape the first option still is tempting