Solved: Call Transaction SM30

Former Member · ‎07-08-2010

Hi Everybody,

I have a problem with my authorizations.

I have a single rôle which included all SAP standard logistics transactions. With this role, users can access to transaction SM30.

I have checked in PFCG this role and nowhere SM30 transaction is referred. I did a search on the whole role and nothing about SM30 transaction.

Do you know why even if this transaction is not in the role, users with this role can access it?

How to disable it?

Many thanks for your help.

Best Regards

Former Member · ‎07-08-2010

Hi Check to see if this user ( using SUIM)

has the authorization object S_tabu_dis

in case you find it disable it , also make sure this user does not have SAP_ALL/SAP_new profile.

martin_voros · ‎07-08-2010

Hi,

You can display a user authorization buffer in SU56. Look for object S_TCODE if there is any record for SM30. Another way is to use one of the reports from SUIM to check if your role has access to SM30. Other way can be that there is a custom transaction which is just a variant for transaction SM30. In this case it checks for custom transaction code, not SM30.

Cheers

Former Member · ‎07-08-2010

Hi David,

1. Might be tcode is not present in menu, added manually in S_Tcode. Search using the tables AGR_TCODE / AGR_1251.

2. You might have speified ranges in S_TCODE. like A* to MM01, so refer to TSTC table.

3. Indirectly called transaction are not included in the auth check.

4. The role in which you are searching tcode is not present. it might be present in other roles. ( he might getting the access from other roles)

5. Might be the tcode is linked in Su24. check the table TCDCOUPLES

6. Might be using custom tcode ZSm30 or YSM30

How to find out custom tcodes, BDC calling specific tcodes?

Search in Se16 -> tstpc -> To do this, just select the table with TCODE starting with 'Z' and PARAM starting with '/*SM30'.

Useful links:

https://cw.sdn.sap.com/cw/docs/DOC-25427?decorator=print

http://sap.ittoolbox.com/groups/technical-functional/sap-security/users-able-run-tcode-without-acces...

Thanks,

Sri

.

Former Member · ‎07-08-2010

A common cause of this is parameter transactions to views which do not exist (anymore) and then SAP stops in the selection screen of SM30 which was meant to have been skipped.

Another is a "launchpad" such as a report tree, which calls SM30 with parameters and the extention SKIP FIRST SCREEN. If the user then proceeds further and clicks on "Back", the system returns into the selection screen of the calling SM30, and not the original transction for the report tree.

Check your transaction configuration and how SM30 is called.

Cheers,

Julius

Former Member · ‎07-08-2010

Hi Check to see if this user ( using SUIM)

has the authorization object S_tabu_dis

in case you find it disable it , also make sure this user does not have SAP_ALL/SAP_new profile.

Former Member · ‎07-09-2010

Hello everybody,

Many thanks for all your answers.

I have checked all recommandations you told me and the solution was to inactive the authorization object S_tabu_dis

like Franklin said.

Unfortunately, inactivating this object caused other problem to view tables. So The right solution is to set the paramter at 3 (read) for this authorization and now everything works perfectly.

Many thanks again everybody for your help.

Best Regards

Former Member · ‎07-09-2010

Unfortunately, inactivating this object caused other problem to view tables.

Yes...

So The right solution is to set the paramter at 3 (read) for this authorization and now everything works perfectly.

This is not correct, as there are also "current settings" views and table maintenance generators in the system which will require '02' (change). if you add it back then you have gone 360° with nothing to show for it.

Read '03' for all is also not a "perfect solution" in my books, and the authorities generally think the same way. For example, you can display any data in the system and bypass all application authorizations, org. levels, etc...

Cheers,

Julius