Accessing the SE38 T code with only display authorization

Can you create a profile that has only display authorization for the SE38 T code? Expert Corwin Slack answers.

Is there a way to create a profile with access to the SE38 T code with only display authorization (not create/execute/delete)? I have restricted the field to DISPLAY alone in authorizations data, but still, some programs can be executed. The R/3 version is 4.5B.

Place an authorization group on every Type 1 program (except Type 1 type-pools) and give end users authority to execute all the programs using an authorization for S_PROGRAM that has actions BTCSUBMIT and VARIANT. Do not grant access for action SUBMIT. The user will be able to submit reports from any transaction that will start the report but not from SE38 or SA38 or from any other path to a code editor including System/Status.

In some versions of SAP, it is possible to submit a report while viewing the code for an include program for the report. You must make sure that this is not possible in your version, and if it is, you must determine the availability of OSS notes to correct the weakness in your version. Later versions of SAP all allow for executing Type 1 code while viewing an include, but they do enforce the authorization check.

Dig Deeper on SAP security