Risk Assessment Transaction Code: AL11 Display Directories Authorization Objects: S_ADMI_FCD: This authorization object checks access to several Basis functions, for example, spool administration and monitoring Fields: S_ADMI_FCD Possible value:  ST0R: Authorization to analyze traces S_DATASET: You use this object to assign authorizations for accessing operating system files (with the ABAP/4 key word OPEN DATASET, READ DATASET, TRANSFER and DELETE). This key word can also be used to assign the authorization for using operating system commands as a file filter Fields:    ABAP/4 program name: Name of the ABAP/4 program that contains the access. You can restrict the file access to a few known access programs. Activity: Possible values: o 33: Normal file read o 34: Normal file write or deletion o A6: Read file with filter (operating system command) o A7: Write to a file with filter (operating system command) File name: Name of the operating system file. Here, you can restrict the accessible files. Risk Assessment S_RZL_ADM: Authorization object for R/3 System administration using the Computing Center Management System field Activity.   01: All Management System functions including starting and stopping instances, setting up and changing operation modes, checking system status, etc. 03: Display authorization. None of the maintenance functions can be executed. Functionality:    Al11 transaction will display list of directories. To view specific content in the files / directories, S_DATASET authorization should have apporirtate values maintained with the activity, path details and programs. When user double clicks on a directory, they will see all the files in the directory. Using the directory parameters in the profile or in program, files from the OS level in GUI can be accesed Upon further analysis, many roles in SAP are maintained with “*” values in the filename and Program fields under S_DATASET Auth object opening up the broader access than required, if user has access to Al11 transaction. Risk Assessment: Users with access to Al11 transaction with all authorizations can view file and data stored in directories and will have ability to browse the Unix directory and open files. As the files also contain CSI data, access needs to be further controlled. Al11 transaction code is Restricted for IT users. However, there are valid requirements from the Business to have access to Al11 transaction code to access the specific files which are created by Business applications with have interfaces to and Specific roles are created to restrict their access to particular path where files are stored ( Blackline). However General end user roles and other business roles which has “*” values maintained in Authorization objects are superseding the restrictions applied in other roles. Since S_DATASET is an important BASIS/ABAP authorization object, values maintained under General end user role should be strictly restricted and maintained.