06-19-2008 3:35 AM
Hi experts,
I need to assign authorization to SE12, but not to SE11. I did find the authorization objects for SE12 & SE11 & found S_DEVELOP is marked to be checked in both from SU24.
In my Role the activity is set as change, display.
But I am able to access both SE11 & SE12.
Could you let me know where is the control to exclude access to SE11 & only grant SE12?
Thanks,
Pri
06-19-2008 4:10 AM
Anne,
You create a another role give SE12 only and control the access.
Regards
Rajesh
06-19-2008 4:17 AM
Hi Rajesh,
Yes you are right I can do that. But we only have one Role a copy from SAP_ALL & excluded S_TRANSPRT as they should not allow to change customization.
So inside this Profile I can already see the object S_DEVLOP which has both change & display activity.
Is there a way to control within this profile of ZSAP_ALL without creating a separate role for SE11 & SE12?
Pls suggest.
Pri
06-19-2008 11:18 AM
You will have to control it using S_DEVELOP in seperate roles, because after clicking DISPLAY all the menu options are back.
Any transaction checking S_DEVELOP 03 (or more) is telling you: "Please start forgetting about S_TCODE here".
Cheers,
Julius
06-19-2008 10:56 AM
>
> Could you let me know where is the control to exclude access to SE11 & only grant SE12?
>
> Thanks,
> Pri
Hi Pri,
The way I read your question it sounds like you want to not give access to the full transaction of SE11 and only to SE12.
The authorization object that controls that is S_TCODE.
Most likely you have the value * in the field TCODE.
What you need to do is to create a range that excludes the transaction(s) you do not want.
As example:
from 0* to SE10
from SE12 to Z*
However, there are many more transactions that you should not hand out to developers.
Just some transactions as example
SU01 User management
SCC4 Client maintenance
SCC8 Client deletion
I would also like to point out that it is a wiser way of working to give access to functions that should be accessed, rather than to take away authorizations of functions that should not be accessed.
Best regards
Fredrik
08-22-2010 8:57 PM
Hi,
In our SAP system, I have access to SE11. But I do not have access to SE12.
The SU53 detail are:
bject Class AAAB Cross-applica
Authorization Obj. S_TCODE
I dont know how is this possible?
Can you please guide and advise what should be corrected?
Thanks,
Jagan
08-22-2010 10:21 PM
Why do you need SE12?
Just add SE11_OLD to your access and you should be fine.
Cheers,
Julius
ps: Thanks for using the search...
pps: SU53 shows the last failed authority-check in the code. This is particularly confusing when you click on "OK" or "BACK" and subsequent checks are performed although you have the correct access. It encourages to add more access, which is often wrong.
08-22-2010 10:49 PM
This looks like faulty and incomplete configuration in SE97 delivered by SAP.
The calling program which is the same switches the tcode context but then (correctly) checks the transaction code --> AUTHORITY_CHECK_TCODE. However it has already changed (case sy-tcode).
I guess it is difficult to retro-fit tcodes to menus....
In the interim you can "repair" SE11 to "no check" SE11_OLD in SE97, but probably you won't get very far with that because there is lots of navigation (see my previous comment about S_DEVELOP) and if the called transaction id the same as sy-tcode then it checks itself again...
Please try adding SE11_OLD as tcode and open a customer message via OSS to correct SU24 data (and possibly the coding to make it more security admin friendly...).
Cheers,
Julius