cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Restrictions to SE16 impacts Standard Transactions that uses de same objects

former_member1329783
Discoverer

on ‎05-24-2023 3:07 PM

0 Kudos

Will the configuration made to restrict access to tables through SE16 or SE16N will impact the standard (transaction) functionality that uses de same object?

Show replies
Show replies
Answer
View Entire Topic
Monsores
Active Participant
‎05-25-2023 10:11 PM

Hi Talita.

Nut sure if I understood correctly, but it seems you are asking if restricting table EKKO (PO header) in SE16N will cause problems in ME21N (PO creation), for example.

In this case, the answer is no. The authorization objects checked by SE16N are not the same checked by other tcodes (ME21N, in the example above).

Regards,

Marcelo Monsores

Show replies
Show replies
former_member279014
Explorer
‎05-30-2023 6:28 PM
0 Kudos

I agree with this answer.

The S_TABU_* auth objects that are called by SE16/SE16N/SM30 are only ever reused (to my knowledge) in very table-centric situations such as SAP Query, IMG Config, and similar.

As a good security practice, endusers in Prod should not have much (if any) direct table access, esp. if the data therein is considered "sensitive," even for viewing. And with access to change any table data, they could really foul things up. So as a SAP Sec Admin, I would only be providing this sort of table access when users have shown that they need it to accomplish something required.

Now, it is always possible that a custom program was written in such a way as to directly use or indirectly trigger these S_TABU_* authorization calls. Such concerns can be addressed by getting info from your developers and/or going to lower systems (preferably) and tracing run-throughs of transactions/code with tcode STAUTHTRACE.

But "except for exceptions," typical endusers running typical SAP productivity transactions will "almost never" trigger calls to these table auth objects (in my 24-years of experience).

Ask a Question