Sorry I’ve been so MIA lately… things have really been picking up over here and I haven’t had time to post.Needless to say I haven’t had a second to breathe, but I didn’t want you all to feel left out, so here’s a little post on an SAP Security Best Practice to wet your whistle on this fine Monday morning.
My colleague, Rahul Urs, posted this article a while back and I thought I would piggy back on that for a second. When you are adding transactions to a role, ALWAYS add them via the menu path, NEVER add transactions manually via the authorization object S_TCODE.
One of my customers e-mailed me this week… “A bunch of users are able to execute a transaction that they are not authorized for. We wish to limit access to this transaction to a small number of users. Currently, the transaction is not assigned in any roles and yet many users are able to access it… HELP!” The customer had queried roles by transaction assignment in t-code SUIM, which only shows roles assigned directly via the menu path. I queried, roles by complex selection criteria in SUIM, for the transaction value in auth object S_TCODE and I came to learn that 10 of their roles had been updated manually with a * value for S_TCODE.
I was able to fix this by manually inserting a new line item for S_TCODE and pasting the results from table AGR_TCODES for the role. I then inactivated the S_TCODE value for *, but it was quite the clean-up effort and less than ideal from a best practices standpoint.
So as a general rule of thumb: when you are adding transactions to a role, ALWAYS add them via the menu path, NEVER add transactions manually via the authorization object S_TCODE.