Skip to Content
avatar image
Former Member

alternative of PFCG

i have Display Role for auditors that role does not have PFCG transaction but still they are able to display the Roles through PFCG screen. can some one suggest me how they are able get display access of PFCG. IS there any alternative T-Code or Auth Object to access PFCG?

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • Best Answer
    avatar image
    Former Member
    Nov 17, 2008 at 07:32 AM

    If the PFCG S_TCODE is nowhere in their role(s) I it is possible the Tcode check was bypassed because it was configured as a called transaction.

    I have 2 questions for you:

    1 - Why do you not want them to diplay role contents via PFCG? If the underlying authorizations are set up correctly they shouldn't be able to do any harm.

    2- How do they acces PFCG? Doubleclick on a rolename in SU01D? In a report output? Once you know that you can look for the called transactions.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Nov 17, 2008 at 05:15 AM

    Hi Arvind,

    Have u checked the txn not available from the role menu or from S_TCODE.If u see that the txn is not present in the role menu then it might be present under S_TCODE.Plz Chk.

    Not aware of any SAP standard t-code that complements PFCG but custom t-codes can always be created as a variant of PFCG.

    Thanks,

    Saby..

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      I checked at Txn level and Object level but i don't see PFCG in that role so i am unable to figure out how they are able to access PFCG display

      Thanks for your help!

  • avatar image
    Former Member
    Nov 17, 2008 at 08:34 AM

    I support the question of Sabyasachi Rudra. It sounds like you have made the same mistake as I did a couple of months ago, when trying to understand which transactions a role had access to.

    I used "Roles by Complex Selection Criteria" (transaction S_BCE_68001425) and entered PFCG in the section "Selection by assigned Transaction in Menu". But this only check if the transaction is in the menu, not as an object.

    What you want to do is to use the "Selection according to authorization values", enter S_TCODE and PFCG as value. Then you get the correct access.

    /vitofava

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Nov 17, 2008 at 08:34 PM

    Note that PFCG itself checks whether you are infact authorized to start the transaction, after you have already tried to. The only expected exceptions would be documented in SE97.

    >

    > i have Display Role for auditors that role does not have PFCG transaction but still they are able to display the Roles through PFCG screen.

    Either just go to them and ask them how they get this information or activate the audit log dynamically in SM19 and see for yourself.

    My guess is that they have already downloaded your tables and are trying to make sense of them and are auditing you based on that.

    Probably, you would have been better off and had better audit results if you had given then the correct display access to PFCG, SU01D and SUIM.

    My 2 cents,

    Julius

    Edited by: Julius Bussche on Nov 17, 2008 9:35 PM

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      >

      > > You're too generous giving out PFCG.

      > May I ask why you think that?

      >

      > I think that it would be usefull for them to see how the role was built and the history (often documented in the descriptions field) and easy navigability.

      >

      > > Give them SE16 with table access to AGR_USERS, AGR_1251, AGR_1252, AGR_AGRS, USR02 and SU01D tcode access. Of course, this is my opinion.

      > But then they won't see the manual profiles, nor the roles with profiles which have not been generated (actually, they will see them..) , nor the reference users, ... and will be generating a lot of reports for others to use as well (unless your patch levels are high enough and you have S_TABU_DIS under control.

      >

      > Do you have bad experiences with PFCG and display access, if the user has the correct authorizations?

      > I have only seen the contrary (auditors downloading and trying to interpret tables).

      >

      > Cheers,

      > Julius

      >

      > Edited by: Julius Bussche on Nov 17, 2008 10:19 PM

      Bad experience which I care not to discuss in this forum. Unless they can justify more than SE16, I won't give them PFCG. Again my opinion, I'm just very frugal.

      Regards,

      -John N.