Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

TMSTCRI - monitor critical security objects

Former Member

‎01-13-2010 10:22 AM

0 Kudos

Hi All,

We are trying to monitor critical objects in security roles and ensure these are not transported to production erroneously.

I believe TMSTCRI table has some such option but when i make an entry and test it, it does not seem to work. For exampl i made an entry R3TR AUTH S_DEVELOP in the table and tried transporting a role with this object but no warning showed up.

We also set the parameter CHECK_CRIOBJ_AT_IMPORT to W in the transport tool

Any inputs will be a very helpful

Thanks

Vijaya

3 REPLIES 3

Former Member

‎01-13-2010 10:29 AM

0 Kudos

You have misinterpreted what the "object" field is here.

It is refering to a repository object (such as a name of a role, or a program, or a function module, etc of their respective object types).

If you want to control S_DEVELOP being added to a role, then use S_USER_OBJ and S_USER_VAL.

You cannot control the contents of a role via TMSTCRI, only the name of teh role.

Cheers,

Julius

Former Member
In response to Former Member

‎01-13-2010 10:53 AM

0 Kudos

Hi Julius,

Thanks for the inputs. However, S_USER_VAL documentation says that if users should have access to maintain organizational values the object should have full access. Our security team does need to maintain org values but we want to control accidental addition of critical objects.

For example, we want to restrict inclusion of some authorizations such as DEBUG, S_BTCH_ADM, S_LOG_COM etc

Please advice

Thank you

Vijaya

Former Member
In response to Former Member

‎01-13-2010 2:11 PM

0 Kudos

Yes, for org levels and FROM / TO ranges you need full access for that object and value respectively.

But S_DEVELOP does not have org. levels so you should be fine to restrict the object to only those role administrators who should have anything to do with S_DEVELOP, regardless of the role.

This is a different topic to TMSTCRI though, where you could enter the role name to be blocked - however you cannot control the role names for which S_DEVELOP can be added, only whether or not S_DEVELOP can be added at all by the user.

Probably some good training for the admins will be easier to achieve the control...

Cheers,

Julius