Skip to Content
author's profile photo Former Member
Former Member

How to restrict SP01 transaction?

Hi

Is there a way to give authorization to user A to see user B's spool requests in addition to his, and not any one else's?

I have a user who needs to monitor spool request of another specific background communication-data user (which is an RFC account), through SP01.

We know that we should not give him authorization S_ADMI_FCD with value SP0R (Use of SP01, all users). With such authorization there are risks as user would be able to view other sensitive data such as salary information in certain spool requests.

Thanks

Reza

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

3 Answers

  • Posted on Oct 28, 2008 at 11:07 AM

    The authorization for spoolfiles is dependent on the information in the 'authorization' field in the 'spool attributes' shown when you doubleclick on a spoolfile.

    The help text states:

    " Value for authorization check The authorization value is compared against the authorizations of the user who executes operations on this request. If the authorization is not sufficient, the operation cannot be executed. Authorization values are generally set by the program that generated the data in the spool request. If this field contains the initial value, the spool system automatically enters the user name as the authorization value. If this field is empty, no authorization check is executed. "

    This authorization is taken care of by the object S_SPO_ACT as far as I know. A forum search on this object should get you going.

    Jurjen

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Oct 28, 2008 at 10:52 PM

    S_SPO_ACT authorisation object has field DISP which allows users to see others spool request, However you can not restrict user to see one specific user's spool request and not the another one. This field allows to see all users spool content.

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Oct 29, 2008 at 06:29 AM

    Thanks Jurgen & Kinjar

    I just came across Note 158487; followed it and it seems to be OK.

    I granted user A authorization for the S_SPO_ACT object. For "Authorization field for spool" field (SPOACTION) values "BASE" and "DISP", and for "Value for authorization check" value "SAP_B" were given. (SAP_B is SAP account for user B).

    S_ADMI_FCD still has SP0R.

    User A was able to see contents of spool request came from SAP_B. He was not able to see other users' spool requests though.

    Cheers

    Reza

    Edited by: Reza Ahoui on Oct 29, 2008 10:32 AM

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.