Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

restriction on sm04

Former Member

‎06-12-2009 6:31 AM

0 Kudos

Hi All,

Please tell me how i can restrict a user having the access of sm04 from deleting or killing a session.

Any pointer will be highly appreciated .

Rgds,

Premraj

11 REPLIES 11

jurjen_heeck
Active Contributor

‎06-12-2009 7:32 AM

0 Kudos

> Please tell me how i can restrict a user having the access of sm04 from deleting or killing a session.

>

> Any pointer will be highly appreciated .

First pointer is that SAP security is about allowing stuff, not restricting.

To find out where and how the user is allowed too much I'd advise to look in transaction SU24 for the authorization proposals for SM04. With this information you can go to SUIM and find roles which grant this access.

Then you have to see which of these roles are assigned to your user and try to take them away without disturbing to many porcesses..... Alternatively you can try to amend the roles assigned to the user in such a manner that SM04 will not be in them anymore. Once again, think about consequences for other users as well.

Former Member
In response to jurjen_heeck

‎06-12-2009 7:37 AM

0 Kudos

Hi heeck,

I am agree with you , but my requirement is that i have to give access of sm04 to all users and now i want to restrict them from killing the sessions , i have seen the su24 and also find the list of roles by suim having access of sm04 , now can u please tell me how i should proceed furthe a i am bit new in security .

Rgds,

Premraj

jurjen_heeck
Active Contributor
In response to jurjen_heeck

‎06-12-2009 7:50 AM

0 Kudos

Ah, I see. It's about allowing them to see the sessions without being able to kill them. I'll have a look but do invite some of the others to chip in. I'm not at work today.

Former Member
In response to jurjen_heeck

‎06-12-2009 8:16 AM

0 Kudos

I cannot remember the exact value of the check, but there is one there for killing sessions. You will find it in a trace or even SU53.

The object to use is S_ADMI_FCD. I think the value is "PADM" - Process Administration.

Cheers,

Julius

Former Member
In response to jurjen_heeck

‎06-12-2009 8:43 AM

0 Kudos

Hi ,

Thanks a lot .

Could u let me know about the exact value and also the procedure how i should proceed .

Rgds.

Premraj

Former Member
In response to jurjen_heeck

‎06-12-2009 8:50 AM

0 Kudos

You will find the exact value in your system.

Remove all S_ADMI_FCD authority and run an SU53 after the check fails, or, activate an authorization trace in ST01 and in SM04 delete a session and then read the trace file.

Very easy.

Julius

Former Member
In response to jurjen_heeck

‎06-12-2009 8:53 AM

0 Kudos

Thanks .

Former Member

‎06-12-2009 8:53 AM

0 Kudos

An alternative may be to give them AL08 instead.

Former Member
In response to Former Member

‎06-12-2009 8:56 AM

0 Kudos

Yes, that is a good observation. It would also not be limited to the application server you are currently logged onto, however basic display only.

But therefore a lot off cool information would not be accessible either.

Cheers,

Julius

Former Member
In response to Former Member

‎06-12-2009 9:05 AM

0 Kudos

> 

> But therefore a lot off cool information would not be accessible either.

There is also that to consider....

Former Member
In response to Former Member

‎06-15-2009 9:03 PM

0 Kudos

I see that Premraj has closed the thread.

Perhaps it was ZSM04..

In higher releases, only the ALV is available... NetMeeting is a better option in my opinion (and not subject to interface and security changes).

Cheers,

Julius