Skip to Content
0

SCC4 with S_TABU_DIS 02 and/or S_TABU_CLI CLIDMAINT" "

Jan 22 at 10:35 PM

127

avatar image
Former Member

1. Can I change SCC4 setting with SM30 or SCC4 t-code along with S_TABU_DIS ACTVT 02 if I have access to SS authorization group?

2. What can a user with access to S_TABU_CLI with CLIIDMAINT “ ” do?

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Alessandro Banzer
Jan 24 at 03:57 PM
1

Dear Aftab,

if the user has S_TABU_DIS with 02, then he can basically change the tables in table group SS. Since SCC4 changes cross-client tables, S_TABU_CLI must also be authorized (gets checked after S_TABU_DIS was successful). So ' ' means that cross-client tables cannot be maintained. If you authorize S_TABU_CLI with X, then the user can change cross-client tables. The S_TABU_CLI check is supplementary to S_TABU_DIS. If S_TABU_DIS (or S_TABU_NAM) does not grant access to change a table, then S_TABU_CLI is not being checked.

Hope that helps.

Cheers, Alessandro

Share
10 |10000 characters needed characters left characters exceeded
Joshua Bennett Feb 23 at 10:34 PM
0

Hi Aftab,

To add onto Alessandro's nice summary, a few other things to consider are:

S_CTS_ADMI Authorizations

Depending on which client settings you are trying to change, authorizations for S_CTS_ADMI w/ CTS_ADMFCT = TABL may also be required. Without these authorizations (i.e., if you only have the S_TCODE + S_TABU_DIS or S_TABU_NAM + S_TABU_CLI authorizations), you can enter the client settings detail screen in change view, but the your changes would be limited to:

  • T000-MTEXT- Name
  • T000-ORT01 - City
  • T000-LOGSYS - Logical system
  • T000-MWAER - Std currency
  • T000-CCCATEGORY - Client role
  • T000-CCIMAILDIS - CATT and eCATT Restrictions

Without the S_CTS_ADMI authorizations, the most two most sensitive client settings related to protection against changes to client-dependent customizing objects (T000-CCCORACTIV) and cross-client customizing and repository objects (T000-CCNOCLIIND) are greyed out and cannot be changed (along with the setting for client copy and comparison tool protection (T000-CCCOPYLOCK)).

If you run an authorization trace in STAUTHTRACE or ST01, you will notice that there is also a check for S_ADMI_FCD authorizations when changing the client settings via SCC4, SM30, and others. However, you can still maintain the client settings without these authorizations when going through SCC4 / SM30 and parameters. The only place I have seen a lack of S_ADMI_FCD authorizations prevent change access to the client settings (assuming the user has the appropriate S_TCODE / S_TABU_DIS/NAM / S_TABU_CLI authorizations) is when calling SCC4 from the SE06 System Change Option screen's Client Setting button.

S_TCODE Considerations w/ SAP Note 1265043 - S_TCODE Authority check on T000 by SM30

One key consideration around the S_TCODE authorizations for this function is whether corrections from note 1265043 have been implemented, which adds event CHECK_AUTHORITY_SCC4 to remove the ability to maintain client settings using SM30 and other similar maintenance view transactions, forcing the requirement for the SCC4 S_TCODE authorization requirement.

Without these note corrections implemented, keep in mind that there are approximately 45 standard TCodes (at least that I am aware of) that can be used to maintain client settings, most of which are parameter transactions for SM30 or SM31 - some of which bring you directly to the SM30 / SM31 initial screen with no parameters passed along and some of which pass along parameters for a specified table / view but do not skip the initial screen and thus can have the default parameter values overridden by changing the table / view name to T000 at the initial screen.

Hope that helps,

Josh

Share
10 |10000 characters needed characters left characters exceeded