Background

Access to the transactions SM30 and SE16 is often regarded as a security risk on productive system. But with the right use of the authorization object S_TABU_DIS and the rarely used S_TABU_LIN, this isnt so. With S_TABU_DIS you have the option to control access to groups of tables, and you have the option to distinguish between Update and Display access. If you do not want to give access to an entire table group, its quite easy in transaction SE54 to create a new authorization group and to reassign one or more tables/view to this group, thus achieving control of access to these specific tables. If youre anxious about giving access to an entire table group, due to the fact that some tables have an open interface which allows table maintenance even in transaction SE16, the check this report developed and posted to the SAP Fans security forum by John A. Jarboe. With the authorization object S_TABU_LIN you can even go a step further, and control access to a table on record level, based on the key fields of the table. You can find an overall presentation of the object here. The How-To guide below will demonstrate how to set up and use this authorization object. The example is based on a small table ZMYTABLE. I have created a maintenance view and parameter transaction based on SM30 around this table. Please notice that the parameter transaction is calling SM30 in update mode. If the object is to be used with SE16 youll need to implement OSS note 763269. '

S_TABU_LIN Customizing
We can find the customizing entries in the IMG under SAP NetWeaver Application Server System Administration Users and Administration Line-oriented Authorizations. First we need to define the organizational criterias.

In here create new criteria by pushing the New entries button.

In this example we will like to control access based on the key field Country, in order to do so create a criteria called Z_Country_Grp, with the name Country Grp. If we flag the table-ind flag the criteria will affect maintenance of all tables whose key fields are related to the domains specified in the attribute later. In this example we only want to control the access to the specific table ZMYTABLE so we will leave it blank Save the entry and assign it to a transport request. Now mark the created line and switch to attributes Create a new entry with the data shown below.

Save it and assign it to the transport request. Notice that you can have up to 8 organizational criterion attributes. Now we need to assign a table and a field to our attribute

In order to do so mark the attribute and switch to Table Fields

In here create a new entry and assign, in this example, the table ZMYTABLE, and the field name country to the attribute. Please notice that only Key fields can be used !

Save and assign to transport request Now we are ready for activating our organizational criteria this is the second bullet in the IMG Just check the active flag and the check is activated.

Incorporate the authorization object in a role

We have now implemented the authorization check; next step is to implement it in the required roles. In this example I have created a parameter transaction ZMYTRANSACTION - using SM30 around the table ZMYTABLE. I have create a small test role ICC_TEST, including only the transaction ZMYTRANSACTION, and a few support transactions.

In the authorization part I have inserted the object S_TABU_LIN manually (best practice is of course to assign it in SU24), but a manual insert will also do the trick J

Now when we change one the authorization fields by pushing the pencil the profile generator will ask us for the criteria.

Here we chose the Z_COUNTRY_GRP criteria that we have created. Well now get the following popup, in this case we will grant change access, so we choose 02 Change for activity

In the list below well see the Organizational Attributes that we have created we have the option to use up to 8 attributes in the example we had only defined one attribute Country Grp - we assign the value DK thus only granting access to records with DK in the key field country.

To transfer the selection back to the profile generator press th transfer button

or press F5.

Now we just need to generate the profile and assign it to a test user. Now when this test user signs on to and executes the transaction only entries for Cty DK is displayed.

If the transaction is executed by a user with SAP_ALL all records are displayed,