I think excluding SA38 isn't enough. When users have acces to all transactions except SA38, they still can start a program via transaction SE38, also via SE80 and I'm sure there are some other transactions available. Users can even delete entries in your database. If that's the only restriction, there is no security, the whole system is open for changes by any user.

Actually, I want to exclude se38, also. Do you have suggestion?

Best regards,

Dragan

But there are a lot of other administration transaction a normal SAP user don't need. I don't know what you want to do, but you can create roles based on the sap-menu, you can prepare a list of transactions a group of users needs and put this list into a role, you can start from standard SAP-roles, Some composite roles are available, take one of these as a basis and adapt these to your situation. With excluding only a few transactions, you're not sure that people make serious 'mistakes'. There are about 75000 transactions in SAP and probably a few thousands are within the area of the database, systemsettings, programming, datadictionary,...All these transactions are not supposed to be executed by e.g. a financial accountant.

If you want to make a few 'large' roles, try to start from the sap-menu and choose some big blocks and deactivate the things you don't need. E.g. if you don't have fixed assets, users don't need acces to transactions related to fix assets.

Both answers, from Mr. Heeck and from Mr. Sprangers were useful.