Skip to Content
avatar image
Former Member

restrict authorization, s_tcode

Hello,

I want to restrict authorization for the object s_tcode within pfcg. Currently, the value for the Field Transaction Code is *, and I want to exclude the transaction sa38.

Is it enough to set the values like this: Fields 'From' 0* and 'To' sa37 AND 'From' sa39 and 'To' Z*?

Best regards,

Dragan

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

5 Answers

  • Best Answer
    avatar image
    Former Member
    May 29, 2008 at 12:18 PM

    Technically, yes.

    Erm, oops, no. There are also transactions which start with a slash. So it should be /*-SA37

    Edited by: Jurjen Heeck on May 29, 2008 2:18 PM

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    May 29, 2008 at 12:49 PM

    But there are a lot of other administration transaction a normal SAP user don't need. I don't know what you want to do, but you can create roles based on the sap-menu, you can prepare a list of transactions a group of users needs and put this list into a role, you can start from standard SAP-roles, Some composite roles are available, take one of these as a basis and adapt these to your situation. With excluding only a few transactions, you're not sure that people make serious 'mistakes'. There are about 75000 transactions in SAP and probably a few thousands are within the area of the database, systemsettings, programming, datadictionary,...All these transactions are not supposed to be executed by e.g. a financial accountant.

    If you want to make a few 'large' roles, try to start from the sap-menu and choose some big blocks and deactivate the things you don't need. E.g. if you don't have fixed assets, users don't need acces to transactions related to fix assets.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    May 29, 2008 at 12:28 PM

    I think excluding SA38 isn't enough. When users have acces to all transactions except SA38, they still can start a program via transaction SE38, also via SE80 and I'm sure there are some other transactions available. Users can even delete entries in your database. If that's the only restriction, there is no security, the whole system is open for changes by any user.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    May 29, 2008 at 12:34 PM

    Actually, I want to exclude se38, also. Do you have suggestion?

    Best regards,

    Dragan

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    May 29, 2008 at 01:42 PM

    Both answers, from Mr. Heeck and from Mr. Sprangers were useful.

    Add comment
    10|10000 characters needed characters exceeded