Is there a way to create a profile with access to the SE38 T code with only display authorization (not create/execute/delete)? I have restricted the field to DISPLAY alone in authorizations data, but still, some programs can be executed. The R/3 version is 4.5B.
Place an authorization group on every Type 1 program (except Type 1 type-pools) and give end users authority to execute all the programs using an authorization for S_PROGRAM that has actions BTCSUBMIT and VARIANT. Do not grant access for action SUBMIT. The user will be able to submit reports from any transaction that will start the report but not from SE38 or SA38 or from any other path to a code editor including System/Status.
In some versions of SAP, it is possible to submit a report while viewing the code for an include program for the report. You must make sure that this is not possible in your version, and if it is, you must determine the availability of OSS notes to correct the weakness in your version. Later versions of SAP all allow for executing Type 1 code while viewing an include, but they do enforce the authorization check.
Dig Deeper on SAP security
Related Q&A from Corwin Slack
A SearchSAP.com reader wants to know how to grant a user access to cost centers, as well as access to one cost element across all cost centers. Continue Reading
Learn how to stop SAP users from displaying HR table contents in an SAP table without restricting access to an SE16N transaction. Continue Reading
A SearchSAP.com reader who stores user email addresses within the SAP SU01 transaction code and wants to know where to locate the data. Continue Reading