Question: Hi All,
Some of our users are able to run transaction code AL11 with out having access to it.when i search in suim for the role which has AL11 value in S_tcode and is assigned to the user, it says no role found..but the users are able to run it...How is it possible ? I check in debugging mode, AUTHORITY-CHECK statement is successful.
Can anybody tell why this is happening so..
Thanks,
Chittaranjan
Answer:
I found that I have maintained values as folows..
for S_TCODE object..
to avoid giving access to AL11 ,
S_TCODE from A*...............to AL10*
and again from AL12*.............to OB51 .
with this users are having access to AL11...though it is not coming in any report of SUIM...
If i change it to following then..it works fine..
S_TCODE from A...............to AL10*
and again from AL12*.............to OB51 .
So, because of A*, users are having access..
Please give some input on this .I think if i maintain it as A in stead of A*...users will loose access to some tcodes in between A-AL10 .
Answer:
Do a search in your role for Authorization object using this criteria:
Authorization Object: *Tcode*
We always assume that S_TCODE is the only T_CODE object but unfortunately there are others (P_TCODE, I_TCODE etc...).
Alternately you can also search for Field Name: TCD
That will show you all transaction fields in your role.
Hope this helps
Answer:
I believe that the A* means 'all Tcodes beginning with A' and thus takes the whole range of Tcodes beginning with A.
I've never used the * in a range, preferring to limit by the actual Tcode designation. So I suggest you use A - AL10 and AL12 - OB51 and this should solve your problem.
If it doesn't, consider whether AL11 is called by (or embedded in) another Tcode.
_________________
Best Regards
Bazza
Answer:
even if we given Ranges in roles , SUIM will check ranges also
Answer:
I don
To overcome such problems one SHOULD never use the * value for S_Tcode. This is bad practice. When you need to assign many transactions ONLY assign specific ranges so in this case AA00 to AL10 etc.
Be aware also that EVERY Aduitor will be alarmed when finding the * value for any S_TCODE TCD field in any role.
users able run tcode without access
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment