Skip to Content
avatar image
Former Member

Is there a way in SAP to check what all Authorization Groups are used by Transaction Codes.

Dear All,

I have close to 100 roles, where in the Authorization Object S_TABU_DIS is configured as below

Actvt 03

Authorization Group *

Actvt 02, 03

Authorization Group *

Few Display roles are configured like below

Actvt 03

Authorization Group *

Few Business Roles are configured like below

Actvt 02, 03

Authorization Group *

We have got a request from the management to update the Authorization Object S_TABU_DIS in all the 100 roles..such that each role should be updated with the Respective Authorization Groups based on the Transaction Codes which use the Authorization Object S_TABU_DIS in that specific role.

For Example: We have the beow Transaction Codes in different roles which user the Authorization Object S_TABU_DIS. Currently we that Roles are configured for both Change/Display for all Authorization Groups.

Role 1.  KO30, KO32, OA90, OAVI, OAW3 Role 2.  KO30, KSPI, KSS4 Role 3.  KB61, KB64, KB65, KSII, KSS2

I need to find out which Authorization groups are used by each Transaction Code. Do we have a Program/Report in SAP?

I did suggested to put on a trace and run each Transaction Code and find the Authorization Group, however this is time consuming. Looking for an alternative.

Please help on this.

Regards

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    Sep 05, 2013 at 06:03 AM

    Hi Security 13 Team

    You can obtain some of the transaction to S_TABU_DIS mapping where the transaction code is an SM30/31/34 call

    To do this, you can go to table TSTCP in ALV mode and filter for PARAM contains '/*SM3*'. Within the PARAM results you can locate the tables/views/etc and then go to table TDDAT to look up the table to auth group mapping.

    This will not give you transactions where the program contains a call for S_TABU_DIS. You might be able to look at SU24 data (USOBT_C and USOBX_C) to see if there are any proposals.

    After that you may need to look at testing each transaction in the roles and mapping them out - back to your comment about testing/tracing each transaction.

    As another consideration, if you are being asked to lock down S_TABU_DIS you should also consider removing it as much as possibly and granting S_TABU_NAM to the specific table instead.

    Mess in a system is always time consuming to clean up.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Lee,

      Your solution has solved almost 70% of my Task. For Rest of the Transactions I need to put on a trace and find it manually.

      Thank you!!.

      Regards

  • avatar image
    Former Member
    Sep 04, 2013 at 06:52 PM

    Hello,

    In the standard menu,

    you can see this menu. so that you could use various information from flexible combination input.

    Thanks.

    Add comment
    10|10000 characters needed characters exceeded

  • Sep 05, 2013 at 09:53 AM

    Hi,

    To check, the previous values and update the new values for the auth.obj ' S_TABU_DIS '  in the roles, please try these steps

    Goto SUIM -->Roles-->By Authorization values -->entry auth object (S_TABU_DIS) and click on entry values. You shall be asked to enter ACTVT values and also the AUTH group. Enter the relevant ones and ..once you see the roles, double click on any of the role and modify the auth object values with the  new values. Hope this helps.

    Mj

    Add comment
    10|10000 characters needed characters exceeded