In light of heightened focus on controls (i.e. Sarbanes-Oxley), is anyone aware whether SAP formally recommends fully restricting user access to SA38 in a production system. Some programs delivered by SAP do not have transaction codes assigned to them. Is there a high risk in affording this access if programs are properly secured.