07-30-2008 9:49 AM
Hi,
Client requirement is Blocking the t-codes (MMPV, MMRV, OB52, CK40N, S_ALR_87003642, SPRO, SCC4.)for all users except 3 main users. Please suggest how can we perform this activity.
Thanks
shrinivas.
07-30-2008 9:57 AM
Just make sure they're in no role at all (and take care of underlying rights as well). Once that's secured you can create a special role for your three users....
Blocking T-codes is systemwide and mostly provides fake security. Blocking a T-code doesn't prevent the actual program from being started.
07-30-2008 11:21 AM
> Blocking T-codes is systemwide and mostly provides fake security. Blocking a T-code doesn't prevent the actual program from being started.
True... unless there is a call to function module AUTHORITY_CHECK_TCODE upfront in the program, in which case: potentially false.
See SAP Note 358122.
Cheers,
Julius
07-31-2008 6:29 AM
Hi,
By using SUIM, roles by complex selection creteria I found roles which gives access to each t-code. I found 2 or more roles for each t-code. For some roles in users tab there are no users assigned. Then I went each role in pfcg and deactivated the authrization object which are maintained in SU24 for each t-code. but I couldn't find the t-code in Menu tab to delete manually instead of deactivating auth.obj. In the Menu tab I choose find button and searched for each t-code. for some t-code it is saying not found and for some t-code it is showing pop-up menu FIND IN ROLE MENU TREE.
node MMRV close period
preceeding node other
preceeding node material master
I couldn't understand this.
And I tried using users by complex selection creteria, I found for each t-code 6-7 common users are having access.
but some of these users are not found in the roles( users tab) which I extraced using SUIM: roles by complex selection creteria. for each t-code.
Thanks,
shrinivas.
.
07-31-2008 7:09 AM
if the roles do not have any users assigned in the users tab , it mean that no users are getting access to these roles so you don't have to worry about these roles.
by de-activating only the auth objects you may have disabled the functionality of some other txcodes that share these common objects. This is only going to cause more problems instead of resolving your existing one.
one of the reasons you are unable to find the txcode in the menu tab is because the person who worked on that role earlier might have manually added this txcodes in S_Tcode ( could also be part of txcode range )
when you run a search and you find a pop-up, it is telling you exactly under which folder(node) the txcode exists if it is assigned via the menu.
again a user may have txcodes manually added in S_TCODE with a range.
Hope this helps in your role adventure..