SAP Basis Tech Supports

Symptom

Within the authorization administration using the Profile Generator, the following problem occurs:
Although you have completely removed a transaction from the menu of a role, the transaction name is still included in the authorization for the transaction start (authorization object S_TCODE). You cannot manually adjust or limit the authorization.

Other terms

PFCG, check indicator, SU24, S_TCODE

Reason and Prerequisites

According to the corrections and explanations from Note 624207, you cannot manually change the generated standard authorization for the object S_TCODE in the PFCG authorization maintenance.
The behavior mentioned above is caused by authorization default values for the authorization object S_TCODE that contain the relevant transaction name. In the authorization maintenance of the role, you can determine the relevant transaction using the where-used list of the object in transactions and adjust the authorization default values according to your requirements or remove the transaction that contains this unrequired authorization default value from the menu of the role.
The authorization default values delivered by SAP usually correspond to the most frequent application scenarios of the relevant application. You can use transaction SU24 to adjust these authorization default values according to the individual usage scenario.
Authorization default values for the authorization object S_TCODE are always useful if (during the general usage of an application) you must navigate from one application to a different application and you require ???this option to productively use the application.

Solution

The general valuation of the customer-specific usefulness of the authorization default values for the object S_TCODE must be performed depending on the relevant requirements in each case.
Typical individual influencing factors are documented in the authorization concept and the revision requirements (for example, in the list of critical authorization combinations).
You can use transaction SU24 to check and handle critical authorization default values for each application. Currently, we do not intend to provide an overview report for this task.
However, you can use the Data Browser (transaction SE16) to determine all entries with the attributes TYPE = TR and OBJECT = S_TCODE for the table USOBT_C to obtain an overview for the risk assessment.
If the adjustment of the default values does not seem to make sense in individual cases (only one role is affected by this constellation), you can deactivate the S_TCODE authorization and insert a S_TCODE authorization that is manually maintained instead.
Caution: In this case, the applications contained in the menu and the S_TCODE authorization are not automatically compared.
You can use transaction SU24 to remove default values that you do not require. If you notice SAP authorization default values that result in a general security problem, open a product support message and request that your message is forwarded to the relevant application development.
If you have removed the S_TCODE authorization default values from transaction SU24, but subsequently want to obtain information about the transaction relationships that are predefined by SAP, perform the selection (that is described above for the table USOBT_C) for the table USOBT.