Skip to Content
avatar image
Former Member

Unauthorized access to transaction MSC2N

Gurus,

We have an issue where a user has restricted batches, using MSC2N, even though the user does not have access to the transaction code.

This is on a ECC6 ERP system.

So far I have:

Listed all transactions executable by the user - MSC2N is not there. MSC3N is, though.

Checked AGR_1251 to make sure that S_TCODE = MSC2N is not present in the account.

Checked the STAD file (with CSI-Tool) and the log shows that the user has used the transaction about 5 times in the last month.

Checked all the objects/field values related to MSC2N in SU24 and the account has all of the required ones except for M_MATE_CHP, that is not in the account.

The batch logs shows the user's account and MSC2N as the transaction used to change it.

I have to find the whole so I can make sure that this and other users cannot use it.

I appriciate any insight you may have in this issue.

Thanks

Juan

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    avatar image
    Former Member
    Jul 30, 2009 at 06:43 AM

    Did you compared the users in SUIM with their profile and their acccess/authorizations.

    Try there and check all other excess authorizations that they have.

    Hope this would help you.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Frank Buchholz

      > Yes, S_TCODE is checked during an CALL TRANSACTION call if the corresponding entry in TCDCOUPLES shaows OKFLAG=X

      >

      and

      > Especially, I do not find an entry like "MSC3N calls MSC2N with OKFLAG = SPACE").

      >

      This would indicate that SAP´s authorization trace to populate the SU22 data with SAP data did not pick up a call transaction either for an ´X´ flag to be set for.

      Therefore, I cannot tell you yet, what happens in this system.

      My last guess would be a variant transaction which is using MSC2N to start the program via a different screen. In this case sy-tcode is set to the value of the core transaction when the screen is called - this would appear in the log.

      Check in table TSTCP (I think) in the field PARAMS (I think) for the value MSC2N anywhere.

      Cheers,

      Julius

      • = not logged on and cannot remember exactly.

  • avatar image
    Former Member
    Jul 29, 2009 at 08:43 PM

    Just ask the user... 😊

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      > Actually I think the user is not aware of restricting the batch. As I said, the user does not have access to the tcode and is not familiar with the screen.

      Off the cuff, I am not either. 😊

      A thought: Take a look at the documents, if there are any. Is there a difference between the "Created by" and "Posted by" user ID's?

      My thinking is that they just created the batch data, and someone else (or a job) posted it.

      Cheers,

      Julius

  • avatar image
    Former Member
    Aug 01, 2009 at 06:58 PM

    check all the roles which gives access to the transaction MSC2N and see if any of these are assigned to the user. There might be some role which gives access to this transaction and is asssigned to the user.

    Add comment
    10|10000 characters needed characters exceeded