Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Objetcs S_TABU_DIS and S_TABU_CLI

Former Member
0 Kudos

Hello Basis,

If a user will use a Z transaction to call tables from SM30 TCODE but he dont have access to the SM30 TCODE

should he have the authorization S_TABU_DIS and S_TABU_CLI with * ?

Another question in what environments the users should have full access to the objects above?

Best Regards,

Fábio Karnik Tchobnian

1 ACCEPTED SOLUTION

jurjen_heeck
Active Contributor
0 Kudos

> If a user will use a Z transaction to call tables from SM30 TCODE but he dont have access to the SM30 TCODE

> should he have the authorization S_TABU_DIS and S_TABU_CLI with * ?

What do you mean by "call tables"? And how do you intend to start SM30 without the proper authorizations (unless this is done through called transactions and configured in SE97)?

> Another question in what environments the users should have full access to the objects above?

End users never. Actually, full access should be given on sandbox systems only. Giving these objects with full access is about as good/bad as completely opening up your system.

6 REPLIES 6

jurjen_heeck
Active Contributor
0 Kudos

> If a user will use a Z transaction to call tables from SM30 TCODE but he dont have access to the SM30 TCODE

> should he have the authorization S_TABU_DIS and S_TABU_CLI with * ?

What do you mean by "call tables"? And how do you intend to start SM30 without the proper authorizations (unless this is done through called transactions and configured in SE97)?

> Another question in what environments the users should have full access to the objects above?

End users never. Actually, full access should be given on sandbox systems only. Giving these objects with full access is about as good/bad as completely opening up your system.

0 Kudos

Hi,

> > If a user will use a Z transaction to call tables from SM30 TCODE but he dont have access to the SM30 TCODE

> > should he have the authorization S_TABU_DIS and S_TABU_CLI with * ?

> What do you mean by "call tables"? And how do you intend to start SM30 without the proper authorizations (unless this is done through called transactions and configured in SE97)?

you can "call SM30" from ABAP program using function module VIEW_MAINTENANCE_CALL. So in this case the authorization for transaction SM30 is not performed but other authorization checks are.

Cheers

0 Kudos

> ... function module VIEW_MAINTENANCE_CALL. So in this case the authorization for transaction SM30 is not performed but other authorization checks are.

This is also correct, otherwise you could not restrict at the Z-transaction level.

There are also many reports, in addition to function modules... and you will have a tough time restricting an intent use from submitting a report.

Cheers,

Julius

0 Kudos

Hello,

Let me clarify my doubt

i have two objects

S_TABU_DIS -Table Maintenance (via standard tools such as SM30)

S_TABU_CLI - Cross-Client Table Maintenance

1- The funcional team told me that there are some Z transactions that need to be modified in the PRD environment dailly and cannot be done by request because will take a long time to transport.

2- My basis manager basis said that both objects must be not be granted , just access of view, if the funcional team need to modify a table in PRD environment so open just the table in the PRD environment and your problem will be solved.

So, i ask you basis what do you think about 1 and 2 considerations?

Best Regards,

Fábio Karnik Tchobnian

0 Kudos

> So, i ask you basis what do you think about 1 and 2 considerations?

Both are not good options.

What you are looking for is the correct table delivery class clasification and a current settings flag for the views - to determine whether or not the table should be transported to keep the development and test systems "in sync" (like company code settings) or whether the table should be able to be maintained even although the client is closed for changes (like posting periods are).

You can change these two in SE13 and SOBJ.

If your developers and basis don't know this and / or don't want to do it correctly, then the auditors will eventually get them or they will create a mess of the system - which ever comes first.

Cheers,

Julius

Former Member
0 Kudos

The main advantage of a Z-transaction is that you know the entry point so you can easily maintain the values in SU24 and only need to do it once -> those who gave *'s have no excuse anymore.

The main disadvantage is that users will contantly be able to break out of their transaction contexts and then they will hose your whole authorization concept.

Use a view or create one for all tables to be displayed or maintained and assign an auth group to them.

Maintain the corresponding values of the chosen groups in the authorizations.

If developers don't assign appropriate groups to the tables, dont give the users access (in your QAS system already...).

It is much easier said than done... but if you install some discipline then it is not much effort for them.

Cheers,

Julius