06-12-2009 6:31 AM
Hi All,
Please tell me how i can restrict a user having the access of sm04 from deleting or killing a session.
Any pointer will be highly appreciated .
Rgds,
Premraj
06-12-2009 7:32 AM
> Please tell me how i can restrict a user having the access of sm04 from deleting or killing a session.
>
> Any pointer will be highly appreciated .
First pointer is that SAP security is about allowing stuff, not restricting.
To find out where and how the user is allowed too much I'd advise to look in transaction SU24 for the authorization proposals for SM04. With this information you can go to SUIM and find roles which grant this access.
Then you have to see which of these roles are assigned to your user and try to take them away without disturbing to many porcesses..... Alternatively you can try to amend the roles assigned to the user in such a manner that SM04 will not be in them anymore. Once again, think about consequences for other users as well.
06-12-2009 7:37 AM
Hi heeck,
I am agree with you , but my requirement is that i have to give access of sm04 to all users and now i want to restrict them from killing the sessions , i have seen the su24 and also find the list of roles by suim having access of sm04 , now can u please tell me how i should proceed furthe a i am bit new in security .
Rgds,
Premraj
06-12-2009 7:50 AM
Ah, I see. It's about allowing them to see the sessions without being able to kill them. I'll have a look but do invite some of the others to chip in. I'm not at work today.
06-12-2009 8:16 AM
I cannot remember the exact value of the check, but there is one there for killing sessions. You will find it in a trace or even SU53.
The object to use is S_ADMI_FCD. I think the value is "PADM" - Process Administration.
Cheers,
Julius
06-12-2009 8:43 AM
Hi ,
Thanks a lot .
Could u let me know about the exact value and also the procedure how i should proceed .
Rgds.
Premraj
06-12-2009 8:50 AM
You will find the exact value in your system.
Remove all S_ADMI_FCD authority and run an SU53 after the check fails, or, activate an authorization trace in ST01 and in SM04 delete a session and then read the trace file.
Very easy.
Julius
06-12-2009 8:53 AM
06-12-2009 8:53 AM
06-12-2009 8:56 AM
Yes, that is a good observation. It would also not be limited to the application server you are currently logged onto, however basic display only.
But therefore a lot off cool information would not be accessible either.
Cheers,
Julius
06-12-2009 9:05 AM
>
> But therefore a lot off cool information would not be accessible either.
There is also that to consider....
06-15-2009 9:03 PM
I see that Premraj has closed the thread.
Perhaps it was ZSM04..
In higher releases, only the ALV is available... NetMeeting is a better option in my opinion (and not subject to interface and security changes).
Cheers,
Julius