01-26-2008 1:45 PM
Hi,
I have a Key User who has access to the ABAP CODE via SA38 -> System Status -> double click the report name. How can I prohibit the user from looking at the code?
Thanks,
Shah.
01-27-2008 9:29 AM
Hi,
Try removing access to SA38 and activity 03 in S_PROGRAM. Then, add the reports to the report tree for execution.
Alternatively, (and I don't recommend this but it does work), if you want to protect custom programs then you could modify the name of the ABAP source code in the ORACLE-only table D010S which contains the ABAP source. This makes it different from the load module which retains its original name to allow it to execute.
There are those who argue that you should provide more freedom to extract data from the system using the programs. However, consider the case of someone who does not have access to SE03, and so he uses SA38, writes the standard program to run this TCode, and uses it.
Not all standard programs have this problem because some of them make an initial validation by an authorization object before running on the ABAP editor. I recommended this approach as the first step in the Profile Generator is to make a first validation by the TCode. You should also make sure that the people who do queries are able to aquire the TCode.
One other thought is that the access definitions in the development environment are more powerful in terms of making ABAP programs and running them. In the production system this is more restricted for security reasons.
Reward points if found helpfull..
Cheers,
Chandra Sekhar.
01-27-2008 9:29 AM
Hi,
Try removing access to SA38 and activity 03 in S_PROGRAM. Then, add the reports to the report tree for execution.
Alternatively, (and I don't recommend this but it does work), if you want to protect custom programs then you could modify the name of the ABAP source code in the ORACLE-only table D010S which contains the ABAP source. This makes it different from the load module which retains its original name to allow it to execute.
There are those who argue that you should provide more freedom to extract data from the system using the programs. However, consider the case of someone who does not have access to SE03, and so he uses SA38, writes the standard program to run this TCode, and uses it.
Not all standard programs have this problem because some of them make an initial validation by an authorization object before running on the ABAP editor. I recommended this approach as the first step in the Profile Generator is to make a first validation by the TCode. You should also make sure that the people who do queries are able to aquire the TCode.
One other thought is that the access definitions in the development environment are more powerful in terms of making ABAP programs and running them. In the production system this is more restricted for security reasons.
Reward points if found helpfull..
Cheers,
Chandra Sekhar.
01-28-2008 7:39 AM
Hi,
Assign limited authorisation to the user.
Pls refer to the link:
http://help.sap.com/saphelp_nw70/helpdata/en/52/671285439b11d1896f0000e8322d00/frameset.htm
The transaction for creating authorization object is SU21 and role is PFCG.
Regards,
Renjith Michael.