06-17-2014 1:17 PM
Hello Experts,
I have the following problem:
I would like to use the authority object s_develop to authorize user to execute some reports, but every user has to display all reports. ( with Transaction SE38)
So I put 2 different forms of s_develop into one user role.
First form:
ACTVT: 16
DEVCLASS: *
OBJNAME: *
OBJTYPE: PROG
P_GROUP: FI*
Second form:
ACTVT: 03
DEVCLASS: *
OBJNAME: PROG
OBJTYPE: P_GROUP: *
The problem is that both forms complement each other, so every user can display AND execute all reports.
Is there somehow a possibility to implement my requirements from above with the authority Object S_Develope or is this a bug and there exists a SAP Note?
Thank you for your Help!
Best regards
Enrico
06-17-2014 4:07 PM
Hi Enrico,
The authorizations are not actually complementing eachother in the way you think they do. When executing a program through SE38, SAP will perform following checks:
1) S_DEVELOP with ACTVT 16 ; OBJTYPE PROG and OBJNAME = the name of the program you are trying to execute. The check with ACTVT 16 will not check for the program group.
2) S_DEVELOP with ACTVT 03 and all other fields according to the selected program, including the program group (if any)
3) In case there's a program group, S_PROGRAM will also be checked.
The "additional" check for ACTVT 16 is documented in note "1012066 - Security note: Authorization check when executing reports"
While it is perfectly possible to allow users to display all programs and only execute specific programs through SE38 by using the OBJNAME field with ACTVT 16, this is not recommended. Like Colleen said, it's best practice to create a tcode for every program you want to call on a production environment.
Kind regards,
Brent
06-17-2014 1:23 PM
Revoke SE38 and build custom transactions codes for the necessary reports.
06-17-2014 3:23 PM
This note might be helpful: 338177 - Authorization check when executing programs
06-17-2014 4:07 PM
Hi Enrico,
The authorizations are not actually complementing eachother in the way you think they do. When executing a program through SE38, SAP will perform following checks:
1) S_DEVELOP with ACTVT 16 ; OBJTYPE PROG and OBJNAME = the name of the program you are trying to execute. The check with ACTVT 16 will not check for the program group.
2) S_DEVELOP with ACTVT 03 and all other fields according to the selected program, including the program group (if any)
3) In case there's a program group, S_PROGRAM will also be checked.
The "additional" check for ACTVT 16 is documented in note "1012066 - Security note: Authorization check when executing reports"
While it is perfectly possible to allow users to display all programs and only execute specific programs through SE38 by using the OBJNAME field with ACTVT 16, this is not recommended. Like Colleen said, it's best practice to create a tcode for every program you want to call on a production environment.
Kind regards,
Brent