Skip to Content
avatar image
Former Member


1. Can I change SCC4 setting with SM30 or SCC4 t-code along with S_TABU_DIS ACTVT 02 if I have access to SS authorization group?

2. What can a user with access to S_TABU_CLI with CLIIDMAINT “ ” do?

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Jan 24, 2018 at 03:57 PM

    Dear Aftab,

    if the user has S_TABU_DIS with 02, then he can basically change the tables in table group SS. Since SCC4 changes cross-client tables, S_TABU_CLI must also be authorized (gets checked after S_TABU_DIS was successful). So ' ' means that cross-client tables cannot be maintained. If you authorize S_TABU_CLI with X, then the user can change cross-client tables. The S_TABU_CLI check is supplementary to S_TABU_DIS. If S_TABU_DIS (or S_TABU_NAM) does not grant access to change a table, then S_TABU_CLI is not being checked.

    Hope that helps.

    Cheers, Alessandro

    Add comment
    10|10000 characters needed characters exceeded

  • Feb 23, 2018 at 10:34 PM

    Hi Aftab,

    To add onto Alessandro's nice summary, a few other things to consider are:

    S_CTS_ADMI Authorizations

    Depending on which client settings you are trying to change, authorizations for S_CTS_ADMI w/ CTS_ADMFCT = TABL may also be required. Without these authorizations (i.e., if you only have the S_TCODE + S_TABU_DIS or S_TABU_NAM + S_TABU_CLI authorizations), you can enter the client settings detail screen in change view, but the your changes would be limited to:

    • T000-MTEXT- Name
    • T000-ORT01 - City
    • T000-LOGSYS - Logical system
    • T000-MWAER - Std currency
    • T000-CCCATEGORY - Client role
    • T000-CCIMAILDIS - CATT and eCATT Restrictions

    Without the S_CTS_ADMI authorizations, the most two most sensitive client settings related to protection against changes to client-dependent customizing objects (T000-CCCORACTIV) and cross-client customizing and repository objects (T000-CCNOCLIIND) are greyed out and cannot be changed (along with the setting for client copy and comparison tool protection (T000-CCCOPYLOCK)).

    If you run an authorization trace in STAUTHTRACE or ST01, you will notice that there is also a check for S_ADMI_FCD authorizations when changing the client settings via SCC4, SM30, and others. However, you can still maintain the client settings without these authorizations when going through SCC4 / SM30 and parameters. The only place I have seen a lack of S_ADMI_FCD authorizations prevent change access to the client settings (assuming the user has the appropriate S_TCODE / S_TABU_DIS/NAM / S_TABU_CLI authorizations) is when calling SCC4 from the SE06 System Change Option screen's Client Setting button.

    S_TCODE Considerations w/ SAP Note 1265043 - S_TCODE Authority check on T000 by SM30

    One key consideration around the S_TCODE authorizations for this function is whether corrections from note 1265043 have been implemented, which adds event CHECK_AUTHORITY_SCC4 to remove the ability to maintain client settings using SM30 and other similar maintenance view transactions, forcing the requirement for the SCC4 S_TCODE authorization requirement.

    Without these note corrections implemented, keep in mind that there are approximately 45 standard TCodes (at least that I am aware of) that can be used to maintain client settings, most of which are parameter transactions for SM30 or SM31 - some of which bring you directly to the SM30 / SM31 initial screen with no parameters passed along and some of which pass along parameters for a specified table / view but do not skip the initial screen and thus can have the default parameter values overridden by changing the table / view name to T000 at the initial screen.

    Hope that helps,


    Add comment
    10|10000 characters needed characters exceeded