on 05-24-2023 3:07 PM
Will the configuration made to restrict access to tables through SE16 or SE16N will impact the standard (transaction) functionality that uses de same object?
Hi Talita.
Nut sure if I understood correctly, but it seems you are asking if restricting table EKKO (PO header) in SE16N will cause problems in ME21N (PO creation), for example.
In this case, the answer is no. The authorization objects checked by SE16N are not the same checked by other tcodes (ME21N, in the example above).
Regards,
Marcelo Monsores
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I agree with this answer.
The S_TABU_* auth objects that are called by SE16/SE16N/SM30 are only ever reused (to my knowledge) in very table-centric situations such as SAP Query, IMG Config, and similar.
As a good security practice, endusers in Prod should not have much (if any) direct table access, esp. if the data therein is considered "sensitive," even for viewing. And with access to change any table data, they could really foul things up. So as a SAP Sec Admin, I would only be providing this sort of table access when users have shown that they need it to accomplish something required.
Now, it is always possible that a custom program was written in such a way as to directly use or indirectly trigger these S_TABU_* authorization calls. Such concerns can be addressed by getting info from your developers and/or going to lower systems (preferably) and tracing run-throughs of transactions/code with tcode STAUTHTRACE.
But "except for exceptions," typical endusers running typical SAP productivity transactions will "almost never" trigger calls to these table auth objects (in my 24-years of experience).
User | Count |
---|---|
7 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.