Skip to Content
author's profile photo Former Member
Former Member

Autho. on program and tables

Hi All,

I have 2 question

1. Is there any way to stop user from direct processing of programs.eg. There are many users who do not have access to SE38 to run any program, but they found a wayaround. They logon to R/3 > System > Status > Double click on Programs > it takes you to the source code of the program--> Other Object and then can run any program --> And then Direct Processing....

Is there any way to stop this and how. Please give me the steps and I am new to Autho.

2. I have to give access to some users for some tables in transaction SM31. But only few tables?? ( might be Z tables also). Is there any way to give on access to sm31 and only mentioned table?

Your reply is appreciated.

Thanks

Prash

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

3 Answers

  • Best Answer
    Posted on Nov 15, 2007 at 07:46 AM

    For the programs, remove object S_DEVELOP, activity 03 (this is what is neded to perform the "workaround" you mention). Assign all programs to t-codes, give the users access to execute those transactions, and take away S_DEVELOP altogether. Should work.

    As for tables, these should always be assigned to authorization groups (from the table maintenance, go to Utilities->Table maintenance generator). Assign an auth group and limit this in S_TABU_DIS.

    Regards,

    Trond

    Message was edited by:

    Trond Stroemme

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      one additional remark, for the TRX access also check for roles were S_TCODE Is set to * this also should be strictly forbidden and the other option that is mostly overlooked when in the object S_TCODE access is given to a range that is to wide or wrongly filled in thus allowing wide access.

  • author's profile photo Former Member
    Former Member
    Posted on Nov 15, 2007 at 10:20 AM

    Hello Prasanth,

    for point1 - to Stop:

    R/3> System> Status> Double click on Programs> it takes you to the source code of the program--> Other Object and then can run any program --> And then Direct Processing....

    from happening...

    You have to: see that the following is resticted in your developer roles.

    Object - S_DEVELOP

    activity 03

    DEVCLASS- SESS

    OBJNAME - SMTR_NAVIGATION

    OBJTYPE - FUGR

    for the second... i'll let u know ASAP.

    points are welcomed.

    Regards,

    Srihari

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      SAP already has a lot of standard authorization groups available for tables. These can be seen in SE54 trx or in the table TBRG for object S_TABU_DIS. The asociation between the auth group and the tables can be seen in table TDDAT. An example of such an association would be table T000 linked to auth group SS. So if you want to restrict people from changing/creating clients, remove the access for group SS from the S_TABU_DIS object in their roles.

      Now if you want to allow a user access to only some new Z-tables then the procedure would be -

      1. create a new auth group for S_TABU_DIS via SE54.

      2. modify table TDDAT to associate the required Z-tables to the Z-auth group.

      3. create a new role with SM30/31 and the object S_TABU_DIS and only add the new Z-auth group in field DICBERCLS.

      4. assign the role to the concerned user. (remember to remove other roles giving access to this object from the user first).

      For SE38, there can be two type of control - program display (code) access via S_DEVELOP and execution access via S_PROGRAM.

      S_PROGRAM control works on a principle similar to S_TABU_DIS.

      The field P_GROUP contains auth group values for programs which are maintained in the table TPGP.

      The association between the program and the program group can be maintained using the program RSCSAUTH. (this maintains the table SREPOATH).

      Hope this helps. Please award appropriate points.

      Regards,

      Sanju.

  • author's profile photo Former Member
    Former Member
    Posted on Nov 15, 2007 at 11:01 AM

    Hi Prashant,

    For Point 2:

    You need to create an Authorization Group for table maintenance (SE54) and include all the list of tables u want to restrict the access. Then in S_TABU_DIS, for the field DICBERCLS add this group with activity 03.

    By this way the users can have display access only to view those tables which are associated with the Authorization group (in this case, your new Auth.grp)

    Regards,

    Srihari

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.