- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- Authorization Check
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Authorization Check
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2009 3:06 AM
Hi
I have a user who has authorization to SE06. When this user executes this transaction he can click on Client Setting and view table contents of T000 thru the transaction SCC4. This user does not have access to SCC4 or SE16. However he is still able to access SCC4.
I went to SE97 to identify if SE06 was calling SCC4. I could not find any such entry. I did find one for SE16 but SE16 was set to "Check".
I ran a trace on the user and I see two entries
0 <- S_CTS_ADMI:CTS_ADMFCT=TABL
1 <- S_ADMI_FCD:S_ADMI_FCD=T000
From the above it looks like it is trying to access table T000. I do not understand this part. How can the table access be available without SE16 and SCC4.
Please share your thoughts on this
regards
Ravi
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2009 6:32 AM
Hi,
The T000 entry with S_ADMI_FCD doesn't mean that it is giving all the table access. Check the following website:
http://help.sap.com/saphelp_40b/helpdata/en/17/174b6e5733d1118b3f0060b03ca329/content.htm
Admins need additional authorizations in S_ADMI_FCD to perform certain activities. When you add tcodes such as SCC4 etc., it will get this object added to the authorization screen automatically.
Rgds,
Raghu
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2009 12:38 PM
Please note that user does not have access to SCC4 or SE16 via S_TCODE. Without this how could the user have access to SCC4
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2009 3:24 PM
Ravi,
I have run into such sceanarios ---sometimes the transaction is assigned in ranges ( if you search the forun you must get atleast my questions and innumearble answers to my cry for help !)
so the TCD may not be assigned explicitliy inS_tcode but in ranges ! hope this answers your question
Thx
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2009 10:46 AM
Hello,
As per my knowledge, the autorization object attached to this t-code SE06 gives access to all the Basis Administrative task.I checked the authorization object through SU22.
U N C CM Check ID Object ObjectDescription
. . . Check C_AFKO_ATY CIM: Order category
. . . Check F_BKPF_BUK Accounting Document: Authoriza
. . . Check S_ADMI_FCD System Authorizations
. . . Check/maintain S_C_FUNCT C Calls in ABAP Programs
. . . Check S_DEVELOP ABAP Workbench
. . . Check/maintain S_DOKU_AUT SE61 Documentation Maintenance
. . . Check S_SPO_DEV Spool: Device authorizations
. . . Check S_TABU_CLI Cross-client Table Maintenance
. . . Check S_TABU_DIS Table Maintenance (via standar
. . . Check/maintain S_TCODE Authorization Check for Transa
. . . Check/maintain S_TRANSPRT Transport Organizer
This will give the users the required access to all the T-codes like SCC4, SE16 etc.
Regards,
Geetha
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2009 10:48 AM
> Total Questions: 48 (40 unresolved)
Please follow-up on your unresolved questions and use more meaningfull subject titles in future.
Thanks,
Julius
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-04-2009 12:41 AM
S_TABU_DIS ACTVT=03;DICBERCLS=SS
S_CTS_ADMI CTS_ADMFCT=TABL;
S_ADMI_FCD=T000
Above authorisation is checked when going SE06 to SCC4.
Now if the user have following access
S_TABU_DIS ACTVT=02;DICBERCLS=SS; incombination with above access, they can modify the T000 table.
If users you are refering here do not belong to BASIS than i would remove the S_TABU_DIS with change access in SS auth group.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-06-2009 12:10 PM
Hi
Firstly, there are no ranges. I created this role. It is a test role. I have not put any ranges in S_TCODE.
Next, inspite of having the right value for all the required authorization objects, a transaction cannot be initiated unless we have a entry in S_TCODE OR if this transaction is called using a CALL TRANSACTION STATEMENT then should be a entry in SE97 which defines the calling and the called transaction where the called transaction should be SCC4. I checked out SE97 and I dont find any.
regards
Ravi
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-12-2009 9:04 AM
Hi,
the tip from Gowrinadh is good, but misses one point. Please check SU01->roles tab, if a reference user is assigned to that user. If so, remove that assignement and retest. (SU56 will not show the authoriaztions of such a reference user). Also make sure, which profiles this user has assigned (directly?) in SU01.
b.rgds,
Bernhard
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-09-2009 7:08 PM
Hi,
Check the user buffer in SU56 and see what are all the tcodes he is receiving. Also restrict the object s_cts_admi if you don;t want the user to login to scc4.
Regards,
Gowrinadh
- SAP Managed Tags:
- Security
