Authorization for transaction SE11 & SE12

Former Member · ‎06-19-2008

Hi experts,

I need to assign authorization to SE12, but not to SE11. I did find the authorization objects for SE12 & SE11 & found S_DEVELOP is marked to be checked in both from SU24.

In my Role the activity is set as change, display.

But I am able to access both SE11 & SE12.

Could you let me know where is the control to exclude access to SE11 & only grant SE12?

Thanks,

Pri

Former Member · ‎06-19-2008

Anne,

You create a another role give SE12 only and control the access.

Regards

Rajesh

Former Member · ‎06-19-2008

Hi Rajesh,

Yes you are right I can do that. But we only have one Role a copy from SAP_ALL & excluded S_TRANSPRT as they should not allow to change customization.

So inside this Profile I can already see the object S_DEVLOP which has both change & display activity.

Is there a way to control within this profile of ZSAP_ALL without creating a separate role for SE11 & SE12?

Pls suggest.

Pri

Former Member · ‎06-19-2008

You will have to control it using S_DEVELOP in seperate roles, because after clicking DISPLAY all the menu options are back.

Any transaction checking S_DEVELOP 03 (or more) is telling you: "Please start forgetting about S_TCODE here".

Cheers,

Julius

fredrik_borlie · ‎06-19-2008

>


> Could you let me know where is the control to exclude access to SE11 & only grant SE12?
> 
> Thanks,
> Pri

Hi Pri,

The way I read your question it sounds like you want to not give access to the full transaction of SE11 and only to SE12.

The authorization object that controls that is S_TCODE.

Most likely you have the value * in the field TCODE.

What you need to do is to create a range that excludes the transaction(s) you do not want.

As example:

from 0* to SE10

from SE12 to Z*

However, there are many more transactions that you should not hand out to developers.

Just some transactions as example

SU01 User management

SCC4 Client maintenance

SCC8 Client deletion

I would also like to point out that it is a wiser way of working to give access to functions that should be accessed, rather than to take away authorizations of functions that should not be accessed.

Best regards

Fredrik

Former Member · ‎08-22-2010

Hi,

In our SAP system, I have access to SE11. But I do not have access to SE12.

The SU53 detail are:

bject Class AAAB Cross-applica

Authorization Obj. S_TCODE

I dont know how is this possible?

Can you please guide and advise what should be corrected?

Thanks,

Jagan

Former Member · ‎08-22-2010

Why do you need SE12?

Just add SE11_OLD to your access and you should be fine.

Cheers,

Julius

ps: Thanks for using the search...

pps: SU53 shows the last failed authority-check in the code. This is particularly confusing when you click on "OK" or "BACK" and subsequent checks are performed although you have the correct access. It encourages to add more access, which is often wrong.

Former Member · ‎08-22-2010

This looks like faulty and incomplete configuration in SE97 delivered by SAP.

The calling program which is the same switches the tcode context but then (correctly) checks the transaction code --> AUTHORITY_CHECK_TCODE. However it has already changed (case sy-tcode).

I guess it is difficult to retro-fit tcodes to menus....

In the interim you can "repair" SE11 to "no check" SE11_OLD in SE97, but probably you won't get very far with that because there is lots of navigation (see my previous comment about S_DEVELOP) and if the called transaction id the same as sy-tcode then it checks itself again...

Please try adding SE11_OLD as tcode and open a customer message via OSS to correct SU24 data (and possibly the coding to make it more security admin friendly...).

Cheers,

Julius