|
Can we give a limited access to specific program in SA38 and SE38. I've done it with tables by creating an authorization group with SE54. Is there a way to create Authorization group for programs? Answer: You cannot limit SE38/SA38 to specific programs. Even if you assign one program group per program, you can still execute all programs not assigned to any program groups. Custom transaction codes are really the way to go, as that is the only way of controlling it efficiently. Most folks will be thankful for a tcode in a menu or report tree however it is hard for some folks to give up their freedom and hard for security to keep pace with them. An approach I have used is to import the entire SAP menu of an area and remove the nasties and disable all objects other than S_TCODE. Then they can "explore" but are still subject to their real authorizations in their built roles. As of SAP Note 1012066 (Test environment for reports) you can control SE38 at the program name level and this can be useful for fast reaction until you can transport the tcode and the role(s) for it through. You cannot do this in SA38. Downsides are: 1) You will need to hand out some granular S_DEVELOP authority on a temporary basis, and there is a risk that other checks are DUMMY ones. 2) It is not 100% watertight as it only protects the online SUBMIT of the program. Variants, background processing and the menu's are still there. You must restrict all other activities and object types. 3) Temporary workarounds are more often than not permanent ones and once users "taste" SE38 they tend not to look back again... Generally a well thought out and logged emergency user concept is also an option or you can combine the 2 if need be. Notes: Be aware that if you give your users S_DEVELOP with view access they do not need SE38 or SA38 to run any program not controlled with an authorization group ( add and maintain auth group with RSCSAUTH) If a user can run a report tied to a tcode and have S_DEVELOP with display they can perform a System->Status double click on the program and then use the pull-down menu to go to "other object" and select any program they want. As long as the authorization group is not on the program it can be executed. The best practice, though tedious unless you automate it is to put an authorization group on all executable programs (Report type Programs). Tips: This trick and many more (F1, ST22, etc.) have been fitted with an SE80 tcode check now. See 1085326 for an example. The development workbench also has an exit which can be used to trigger an activity 16 check for S_DEVELOP PROG. From 7.01 onwards it is standard. However these checks are not extended to the runtime of programs being submitted, they only apply to the workbench. A parameter transaction for START_REPORT is the best option. Plan B could be to copy SA38's module pool and change the PAI module to only start programs which start with a certain namespace and change the value search help as well. There are a few other things to take care of as well, but it works.
Get help for your Basis problems
SAP Basis Admin Books
SAP Basis Tips
Administration In SAP - Sapgui, Unix, SAP ITS, Router, Client Copy and IDES Best regards,
All the site contents are Copyright © www.erpgreat.com
and the content authors. All rights reserved.
|