Skip to Content

How to achieve SPRO display access without assigning SM30

We removed transaction access to SM30 to all users to avoid audit issues. But now no one can display/change SPRO activities(most of them).

Is there any way to achieve both (not giving the users access to SM30 transaction yet allowing them to use SPRO for display/change purposes)?

Thank you

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

2 Answers

  • author's profile photo Former Member
    Former Member
    Posted on Feb 23, 2009 at 07:56 PM

    This is caused by the fact that SM30 (and in some cases SM31) are used as the core transactions for the customizing views which call it with parameter values, from the various SPRO parameter transactions.

    There are a few options available to you. The most secure one is to give them access to SM30 with the correct access to use it (objects S_TABU_CLI, S_TABU_DIS, S_TABU_LIN).

    If this is not good enough or implementable for you, then you can list the transactions from SPRO in SE97 and define them as "couples" for SPRO - but you can be fairly certain that the user with the relevant S_TABU* authority will access that which they are authorized for without SM30...

    Perhaps your auditors will accept a strategy to restrict all customizing access to broad display only if an authorization group is maintained, and then concentrate on defining the correct roles with change access properly => result is everyone in customizing can see what's going on, but only authorized roles can make changes where they are allowed.

    It helps to have a concept for the S_TABU_DIS change access which is (client independently) matched to S_PROGRAM (no "display" activity is possible...)

    May I venture a guess that your next question will be how to restrict the user to SPRO tcodes only and how to create the SPRO display all role? 😉

    This has been discussed here a number of times already (see the FAQ sticky thread at the top), but there is no golden rule - only some better and some worse designed solutions.

    Cheers,

    Julius

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Feb 25, 2009 at 05:56 PM

    Even though we did not get it solved, I think we got a direction. Looks like it is a lot of work.

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.