John and Giovanni - were quick off the mark and probably have everything you need - the likely key is MENUITEM, but I like Giovanni's suggestion to use a higher SAFAUTH, as this might require less change to your current rules, unless you are already using CONTROL /ALTER for something else like Signout override. But I'd like to offer three more suggestions/considerations...
a) Please include an EN$TRESI, and maybe EN$TROPT in your post as it will help us all see your current config, have you already got MENUITEM? have you already got two ACTION_INITIATIONs, what SAFAUTH levels are already in play? etc.
b) There are some ENCOPTBL options you might want to check, but just searching ENCOPTBL for "Security", "ESI" and "Transfer" especially in the latest version of this element <iprfx>.<iqual>.CSIQSRC(ENCOPTBL), as a lot of work was done to clean up and clarify the comment text. But in particular checkout:
- SEC_MOVE_TARGET - can help make rules more consistent
- SEC_ALTERNATIVE_MENUAUTH - The big one, and needs careful consideration to determine impact on the security package rules (including the intriguing possibility of limiting MOVE without DELETE behind)... Great write up and table in the source.
- SEC_RETRIEVE_WITH_SIGNOUT. not related to transfer specifically, but worth considering especially if you need to free up a SAFUATH space
- PKG_ELEMENT_LOCK=(ON,Y) - while not ESI, might allow greater control of the target location
- IMPLICIT_DELETE_APPROVAL_CHECK - again not explicitly for Transfer, but can add a check for implicit deletes
- ALLOW_NON_PKG_ACTIONS - check the value if coded, doesn't allow TRANSFER outside a package (value '32')
- PACKAGE_ACTION_NO_APPRVR - ditto
c) I recommend you really question, what's going on here, WHY are developers using TRANSFER? What issues are they trying to avoid/work around? As Giovanni pointed out, just restricting transfer, will not stop users achieving the same basic outcome, if they have access, just maybe in a more roundabout way (and likely error prone). Some valid use cases might include: Transfer is also Endevor's generic "RENAME" so if users are employing it to fix a mistaken element or type name, a transfer can help them fix it, and preserve the history and avoid the risk when they try to delete the old one. Are folks using transfer, instead of parallel paths? to jump over elements that aren't ready to promote, if so maybe the answer is another environment/path, or maybe have a look at dynamic environments. Encouraging QuickEdit use might also help keep folks from even looking at the 'batch transfer' and wondering "what's that for..." But also if there is a real, need you might be able to package it as a QuickEdit User Extension point so they can do what they need safely, Maybe they need something like the git stash, or blame... just "automated it" in a safe way. In the end educating the users, is likely to yield dividends.
d). Oops one, more - if you still need to restrict TRANSFER, then an EXIT might be a cleaner/simpler way to go, especially if the ESI runs, and security resources are already complex.
Cheers,
Eoin
------------------------------
Eoin O'Cleirigh
Lead Systems Engineer @ ANZ +64273888404
------------------------------