We have added search box. Key in SAP issue keyword to search
Home
About
Site Archive
SAP Chat
Contact
TopBottom

Announcement: wanna exchange links? contact me at sapchatroom@gmail.com.

Re: [sap-security] Z tcode Authorization

Posted by Admin at
Share this post:
 Ma.gnolia DiggIt! Del.icio.us Yahoo Furl Technorati Reddit

0 Comments

Posted by SelvaPrasath(SAP Security & authorization)
on 05/29/2009 02:43:00 PM

I agree with armagost , the use will get authorization from S_TCODE
you can find out the exact role were the authorization comes through tcode
suim
In tcode SUIM, go to roles by complex criteria there you enter the user id
and in the object enter S_Tcode and in the filed value enter the tcode ,
after executing you can find the exact role were the authorization comes.
regards
selva
On Fri, May 29, 2009 at 9:14 PM, James Armagost via sap-security <
sap-security@groups.ittoolbox.com> wrote:
>
>
> Hmm...so many thought and directions...
> Where to begin? Well, my first thought is that one of few things (or even
> more) are happening.
> 1. Search ALL roles with S_Tcode and the t-code in it to see if there is a
> role with the t-code entered in the background rather than at the menu
> level. This is the only way to see a t-code that is not part of the menu.
> Follow that through to determine if the user has access to a hidden t-code
> by accident.
> 2. You may have a * (star) OR a Z* within your S_TCode and this would grant
> access to ALL t-codes if there is a * or only Z t-codes with a Z*.
> 3. Check the user 'profile' tab. Ensure that SAP_ALL or another profile
> that may contain the Z T-code are not available to the user. Run a user
> compare once all of the above are complete and verify that the user cannot
> get to it.
> If the above does not work or you find that they still have access, create
> a new temp user for testing. Create that user with NO roles and then log in
> and see if that new user has access. If they do, you have something
> drastically incorrect.
> If they do NOT have access (which they will not), insert one role at a time
> to the user and test. If you add a role, do a user compare and test. If no
> access, remove role and add the next role and so on until you find the
> problem.
> This will be time consuming and is a PITA (pain in the @$$).
> If someone has a better way to troubleshoot this, I am ALL ears as I have
> run into this in the past and spent two full days finding the issue. Turned
> out to be a Z* was put into the S_TCODE object by a previous security admin.
> Their work was not very good at best!
> Good luck! __.____._

Copyright © 2009 CEB Toolbox, Inc. and message author.

Toolbox.com
4343 N. Scottsdale Road
Suite 280
Scottsdale, AZ 85251

 

0 comments:

Post a Comment

Post a Comment

Subscribe to: Post Comments (Atom)

T r a n s l a t e to your language