Skip to Content
avatar image
Former Member

SAP Role SPROVIEW

Hi,

We have here in SAP SPROVIEW Role is created with some limited TCode access.

Now Users are asking for Full TCodes in SPROVIEW Role.

Keeping * to S_TCODE Object will be Risky ?

Please suggest.

Regards,

swapz

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Best Answer
    Jul 05, 2017 at 11:42 AM

    Hi Swapz

    Yes S_TCODE asterisk is risky as not all transactions codes will necessary have secondary authorisation checks. Check out table TSTC to see how many transactions are in your system and you'll realise the user doesn't need them all. The other risk is cross inheritance of roles - users might have the underlying authorisations in other roles but no the S_TCODE value.

    Generally, you want to protect the entry points to want to always restrict the following objects as they can allow users to execute functionality S_TCODE, S_RFC, S_SERVICE, S_DEVELOP, S_ICF.

    Regards

    Colleen

    Add comment
    10|10000 characters needed characters exceeded