Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Restricting SCC4 Tcode, from the Role that was extracted from SAP_ALL profile

NZ9999
Explorer

‎03-04-2015 7:20 AM

0 Kudos

Hi,

Recently we have created a role extracting from SAP_ALL profile. We have deactivated many Basis, and other Critical Tcodes for our Dev & QTY systems by identifying the authorization objects.

But- for SCC4 we want to know if there is any other way to restrict the access.

Since we created the role by extracting the profiles from SAP_ALL. S_TCODE has * value, and S_TABU_CLI: has "X" value.

- problem is we cant deactivate or limit the usage of S_TABU_CLI:X as we have many ZTcodes for direct maintenance, which needs this AO.

- At the same time, we are trying hard to restrict SCC4.

So, please suggest if there is any other alternative way to restrict Tcode SCC4, by not being able to run using the New Role.

Regds,

Satish.

Preview file
73 KB
4 REPLIES 4

Former Member

‎03-04-2015 7:34 AM

0 Kudos

You should segregate the task and then create the roles depends on the tasks. You can’t have all in one role then want to restrict by user.

The SCC4 and other basis related transactions should be only in basis role.

former_member74904
Contributor

‎03-04-2015 8:35 AM

0 Kudos

First of, let me say that I fully agree with . The building block approach is the way to go when designing roles.

But if we're being practical, you could use authorization groups for tables (T-code SE54) and assign a custom auth. group to table T000. Then use this group to authorize (or actually not authorize) with object S_TABU_DIS.

Again, this is just a practical tip. The whole "create a role from SAP_ALL" thing is a totally different subject altogether.

Good luck!

Dimitri.

Private_Member_69416
Active Participant

‎03-05-2015 7:09 AM

0 Kudos

Hi

You can lock SCC4 access in SM01.

Some security auditors recommend to lock SCC1, SCC4, SCC5

Regards

Przemek

Former Member

‎03-05-2015 9:27 AM

0 Kudos

Hi Satish,

  You can use the interval concept in S_Tcode for entering the t-code values. I am providing you a simple example:

  A* to SCB*

  enter manually the values from scc1 to scc9 excluding scc4

  then scd* to z*

Regards,

Deepak