Skip to Content
author's profile photo Former Member
Former Member

Tailor SAP_ALL to restrict system authorizations

Hello All,

I am new to this forum and I feel its one of the best forum I looked at.

I moved to infra.. to Security.

Its my first question, hope you guys would help me I tried searching the pages but did not find the answer..

Question:

My task is to create a role with SAP_ALL and tailor it to suit the restrictions.

My manager gave me about 200 Tcodes(system auth.), developers and config guys should be restricted to.

I was trying to maintain ranges in S_tcode, however its getting complex for me to decide on ranges..

Guys you think am I doing correct or please suggest me in this..

Thanks all..please help me..

Anil.

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

4 Answers

  • Posted on Jan 30, 2008 at 04:48 PM

    Hi Anil

    When you say "My manager gave me about 200 Tcodes(system auth.), developers and config guys should be restricted to"

    Do you mean that you have been given 200 tx that they shld be able to run?

    If that is the case then you are better creating a role containing those 200 transaction codes.

    The problem with SAP_ALL is that you can make big changes to the S_TCODE ranges, but the users have enough underlying access to perform the functions that you are trying to restrict in the first place.

    The best approach is to get a list of transactions that the users require and build roles from there. It is a bit painful the first time you have to create those roles but will generally be a lot more secure.

    Add a comment
    10|10000 characters needed characters exceeded

    • In addition to Alex:

      Don't be tempted to put S_TCODE ranges in your roles. It does save a lot of time during the build but will eventually backfire in maintenance and with audits.

      You may want to look at the standard SAP delivered roles and compare the transactions in there with the list you've got. Maybe some of those fit part of your needs and then you'd only have to copy them to your namespace.

      On the other hand, the creator of the 200 TCODE list must -at some point- have had an idea what they're meant for. That should give a good clue how to group them in roles.

      HTH

      Jurjen

  • author's profile photo Former Member
    Former Member
    Posted on Jan 30, 2008 at 05:49 PM

    I really appreciate your quick reply, I think you got my question in reverse. My apologies! I think I was not clear with my question..!

    I meant to say " the users should be restricted to those 200 tcodes". As it is sandbox my manager thought is users should do all the research except the tcodes which she provided me.

    My task is to 1) Create a role with SAP_ALL and tailor it in a way where the role should have NO ACCESS to the list of Tcodes(those 200 Tcodes, basically they are basis tcodes).

    Hope I was clear this time.

    Thanks in advance and I really appreciate anykind of help, look forward your thoughts...!

    Add a comment
    10|10000 characters needed characters exceeded

    • Hi Anil,

      Thanks for clarifying that point & providing the extra info.

      As it's your sandbox then you can usually get away with a bit more of a loose approach. In most sandbox environments users tend to get SAP_ALL

      What is common in your situation......

      1. Classify the 200 tx into groups of functionality.

      2. Identify the authorisation objects which give the real access to those functions (see my previous points about S_TCODE security)

      3. Remove access to the auth objects which correspond to those groups of functions. This will give you far more control than restricting T_CODE ranges.

      If you really want to, then you could create some ranges to exclude some of the most obvious codes e.g. SCC4, SU01 etc. It won't make it any more secure though........

      In a sandbox you may want to think about restricting things like transports (S_TRANSPRT), System Admin stuff (some S_ADMI_FCD functions), S_RZL_ADM, some of the S_USER objects - I think you get the gist of it, there are lots more.

  • author's profile photo Former Member
    Former Member
    Posted on Jan 30, 2008 at 07:29 PM

    That was a quick reply, I got a picture of where you coming from

    Just for my information, if I want to restrict below tcodes;

    SMET

    SMETDELBUFF

    SMETDELPROG

    SMLG

    SMLI

    SMLT

    SMLT_EX

    SMLT_OLD

    SMME

    SMOD

    SMOMO

    SMQ1

    SMQ2

    SMQ3

    SMQA

    SMQE

    SMQR

    SMQS

    SMT1

    SMT2

    Is my ranges look logical to you in S_Tcode;

    TO FROM

    SMA* -


    SMD*

    SMEA---SMES

    SMEU---SMEZ /restricts SMET, SMETDELBUFF, SMETDELPROG/

    SMF---SMK /restricts SMLG, SMLI, SMLT, SMLT_EX, SMLT_OLD, SMME,........../

    SMU---SMZ

    Please dont mind if I am wrong, I am learning so hope you understand my curiousity.........

    Thanks a lot Alex...!

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Jan 30, 2008 at 10:40 PM

    Thanks All...!

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.