Solved: I'd like to deny someone to execute the tcode:su01...

Former Member · ‎12-15-2008

I'd like to deny someone to execute the tcode:su01,pfcg,se38..., how can i do it ?

Thanks very much!

<removed_by_moderator>

Thanks

Edited by: Julius Bussche on Dec 15, 2008 9:02 AM

Former Member · ‎12-15-2008

Hi Jean,

Please provide further clarification on your requirement. Denial to execute a particular transaction can be done by simply not assigning/revoking the transaction from the role.

However if you want to further refine the authorizations wherein the user is authorized for administrating only a particular user group or roles based on strict naming conventions you can do it via objects:

Authorizations: Role Check S_USER_AGR

User Master Maintenance: Authorizations S_USER_AUT

User Master Maintenance: User Groups S_USER_GRP

User Master Maintenance: Authorization Profile S_USER_PRO

Authorizations: Field Values in Roles S_USER_VAL

Authorizations: Transactions in Roles S_USER_TCD

Former Member · ‎12-15-2008

Hi Jean,

Please provide further clarification on your requirement. Denial to execute a particular transaction can be done by simply not assigning/revoking the transaction from the role.

However if you want to further refine the authorizations wherein the user is authorized for administrating only a particular user group or roles based on strict naming conventions you can do it via objects:

Authorizations: Role Check S_USER_AGR

User Master Maintenance: Authorizations S_USER_AUT

User Master Maintenance: User Groups S_USER_GRP

User Master Maintenance: Authorization Profile S_USER_PRO

Authorizations: Field Values in Roles S_USER_VAL

Authorizations: Transactions in Roles S_USER_TCD

Former Member · ‎12-15-2008

I don't know if SAP has one TCODE which it can deny someone to execute the special TCODE.

I think If sap has this TCODE, then i can input the "su01,pfcg,se38.." into the TCODE program for the user1, then the "user1" can't open the "su01, pfcg, se38" program.

Does it have this TCODE program?

What's the TCODE?

Anyother way:

I'm one administrator in the SAP system, and i have the "sap_all" profile.

Now i'd like give most of the privilege to the "user1" except the "su01,pfcg, se38", i'm not care for the menu of "user1".

How can i create the "user1" it faster? Which Tcode do i need to use?

Could you teach me step by step?

Thanks very much!

<removed_by_moderator>

Edited by: Julius Bussche on Dec 15, 2008 9:03 AM

Former Member · ‎12-15-2008

Hi,

So your requirmeent is that you want the user to be have authorization for SAP_ALL but without access to PFCG, SU01, SE38 etc..right?

First and foremost rather than assigning a profile to the user directly create a role based on SAP_ALL.

You can do it in PFCG, In authorizations change mode, Edit->Add authorizations via profile.

Then you can deactivate the objects mentioned in my earlier post which would revoke his authorizations for PFCG and SU01.

For SE38

S_DEVELOP and S_PROGRAM are the objects which control the authorizations, you may either chose to fully devactivate S_DEVELOP, but S_PROGRAM has to altered suitably to suit your requirments because it may affect much more authorizations for other transactions as well.

Former Member · ‎12-15-2008

Hi,

There is no such TCODE which can deny someone to execute the special TCODE.

Create a role with SAP_ALL profile and under the object S_TCODE, remove the transactions that you dont want the user to execute.

create user through SU01.

Regards,

Former Member · ‎12-15-2008

I don't know how to "Create a role with SAP_ALL profile and under the object S_TCODE, remove the transactions that you dont want the user to execute".

for the basis, i'm a beginner.

Could you teach me step by step.

Thanks very much!

Former Member · ‎12-15-2008

>I don't know how to "Create a role with SAP_ALL profile and under the object S_TCODE, remove the transactions that you dont want the user to execute".

You cannot remove transactions from S_TCODE. you have to decativate and enter the tcodes in ranges/intervals and exclude the tcodes that you do not want to assign in the process.

If you are sure that it is only SU01, PFCG and SE38 that you want to exclue thanyou can follow the role creation procedure mentioned in my earlier post.

Former Member · ‎12-15-2008

i'm a beginner , i can't find "Add authorizations via profile" out.

How can i find it out? where is it?

Help me!

Thanks very much!

jurjen_heeck · ‎12-15-2008

> Could you teach me step by step.

Step one: SAP security is about allowing things, not denying. So your quest is to build roles for the thnigs your users should be able to do. The fact that they can do too much at the moment suggests they have the profile SAP_ALL. As long as that is the case there is no way to deny specific access.

SAP course ADM940 will teach you the basics in three days. Trying to find out yourself may take months........

Former Member · ‎12-15-2008

1) Create a role by giving a role name and description in PFCG

2) Click on authorizations tab and change button

3) Goto menu Edit-> Add authorizations -> From profile and add the profile SAP_ALL

4) do the necessary changes and save and generate the profile

5) add the role to the user in SU01

---> Sorry I have no intentions to mess up the forum. Te above is simple to the point answer to your question. As suggested by Jurgen the securit admin should not be practised without proper training. I only hope you are not working on the production system. Else, God save the company!!!!

Edited by: Subramaniam Iyer on Dec 15, 2008 8:56 AM

Former Member · ‎12-15-2008

I've finished it very good.

Thanks very much!

But i still not know what is the "

Authorizations: Role Check S_USER_AGR

User Master Maintenance: Authorizations S_USER_AUT

User Master Maintenance: User Groups S_USER_GRP

User Master Maintenance: Authorization Profile S_USER_PRO

Authorizations: Field Values in Roles S_USER_VAL

Authorizations: Transactions in Roles S_USER_TCD

S_DEVELOP and S_PROGRAM

S_TCODE".

what is the "S_USER_AGR"? what does the "S_USER_AGR" include? include object?

Former Member · ‎12-15-2008

> what is the "S_USER_AGR"? what does the "S_USER_AGR" include? include object?

I can confirm what the others have said as well => you need to get yourself some training on the basics first, before you make a mess of the system.

Please also read the forum rules before posting further.

Cheers,

Julius

Former Member · ‎12-15-2008

I'm very sorry for that.

Former Member · ‎12-15-2008

Just now i'm doing the BASIS.

I found that i don't know anything above about what you said.

OH MY GOD.

Former Member · ‎12-15-2008

I hope you can teach me to finish it step by step.

Thanks very much!

<removed_by_moderator>

Edited by: Julius Bussche on Dec 15, 2008 9:06 AM

jurjen_heeck · ‎12-15-2008

> I found that i don't know anything above about what you said.

In that case I think you should get someone in who does. And get training. You'll need quite a bit of basis knowledge about the SAP security system before you can start pushing buttons in the first two transactions you'd like to deny others....... As I said, the course takes three days (24 hours).

Former Member · ‎12-15-2008

I need think about the course .

but now i need to create one role, i need to deny someone to use the transaction in the "tools".

Thanks.

jurjen_heeck · ‎12-15-2008

As I tried to put nicely in my previous posts, this forum is no substitute for training (in my opinion).

Some others may have a different look on this and will happily provide with a step by step guide to mess up your systems' security and give you a fake sense of security at the same time.

If you do a search in this forum on tweaking the SAP_ALL profile or a copy of it, you'll find that all solutions provided are followed by a warning about thieir limited usability.

I'll leave the spoonfeeding to others. It will not give you what you actually need.