05-29-2008 1:14 PM
Hello,
I want to restrict authorization for the object s_tcode within pfcg. Currently, the value for the Field Transaction Code is *, and I want to exclude the transaction sa38.
Is it enough to set the values like this: Fields 'From' 0* and 'To' sa37 AND 'From' sa39 and 'To' Z*?
Best regards,
Dragan
05-29-2008 1:18 PM
Technically, yes.
Erm, oops, no. There are also transactions which start with a slash. So it should be /*-SA37
Edited by: Jurjen Heeck on May 29, 2008 2:18 PM
05-29-2008 1:18 PM
Technically, yes.
Erm, oops, no. There are also transactions which start with a slash. So it should be /*-SA37
Edited by: Jurjen Heeck on May 29, 2008 2:18 PM
05-29-2008 1:28 PM
I think excluding SA38 isn't enough. When users have acces to all transactions except SA38, they still can start a program via transaction SE38, also via SE80 and I'm sure there are some other transactions available. Users can even delete entries in your database. If that's the only restriction, there is no security, the whole system is open for changes by any user.
05-29-2008 1:34 PM
Actually, I want to exclude se38, also. Do you have suggestion?
Best regards,
Dragan
05-29-2008 1:49 PM
But there are a lot of other administration transaction a normal SAP user don't need. I don't know what you want to do, but you can create roles based on the sap-menu, you can prepare a list of transactions a group of users needs and put this list into a role, you can start from standard SAP-roles, Some composite roles are available, take one of these as a basis and adapt these to your situation. With excluding only a few transactions, you're not sure that people make serious 'mistakes'. There are about 75000 transactions in SAP and probably a few thousands are within the area of the database, systemsettings, programming, datadictionary,...All these transactions are not supposed to be executed by e.g. a financial accountant.
If you want to make a few 'large' roles, try to start from the sap-menu and choose some big blocks and deactivate the things you don't need. E.g. if you don't have fixed assets, users don't need acces to transactions related to fix assets.
05-29-2008 1:57 PM
05-29-2008 2:42 PM