SAP 101: Adding Transactions to A Role

Hi all,

Sorry I’ve been so MIA lately… things have really been picking up over here and I haven’t had time to post.Needless to say I haven’t had a second to breathe, but I didn’t want you all to feel left out, so here’s a little post on an SAP Security Best Practice to wet your whistle on this fine Monday morning.

My colleague, Rahul Urs, posted this article a while back and I thought I would piggy back on that for a second. WhenΒ  you are adding transactions to a role, ALWAYS add them via the menu path, NEVER add transactions manually via the authorization object S_TCODE.

One of my customers e-mailed me this week… “A bunch of users are able to execute a transaction that they are not authorized for. We wish to limit access to this transaction to a small number of users. Currently, the transaction is not assigned in any roles and yet many users are able to access it… HELP!” The customer had queried roles by transaction assignment in t-code SUIM, which only shows roles assigned directly via the menu path. I queried, roles by complex selection criteria in SUIM, for the transaction value in auth object S_TCODE and I came to learn that 10 of their roles had been updated manually with a * value for S_TCODE.

I was able to fix this by manually inserting a new line item for S_TCODE and pasting the results from table AGR_TCODES for the role. IΒ then inactivated the S_TCODE value for *, but it was quite the clean-up effort and less than ideal from a best practices standpoint.

So as a general rule of thumb: whenΒ  you are adding transactions to a role, ALWAYS add them via the menu path, NEVER add transactions manually via the authorization object S_TCODE.

Happy Monday!

Tracy

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s