Skip to Content
author's profile photo Former Member
Former Member

Is there a way in SAP to check what all Authorization Groups are used by Transaction Codes.

Dear All,

I have close to 100 roles, where in the Authorization Object S_TABU_DIS is configured as below

Actvt 03

Authorization Group *

Actvt 02, 03

Authorization Group *

Few Display roles are configured like below

Actvt 03

Authorization Group *

Few Business Roles are configured like below

Actvt 02, 03

Authorization Group *

We have got a request from the management to update the Authorization Object S_TABU_DIS in all the 100 roles..such that each role should be updated with the Respective Authorization Groups based on the Transaction Codes which use the Authorization Object S_TABU_DIS in that specific role.

For Example: We have the beow Transaction Codes in different roles which user the Authorization Object S_TABU_DIS. Currently we that Roles are configured for both Change/Display for all Authorization Groups.

Role 1. KO30, KO32, OA90, OAVI, OAW3 Role 2. KO30, KSPI, KSS4 Role 3. KB61, KB64, KB65, KSII, KSS2

I need to find out which Authorization groups are used by each Transaction Code. Do we have a Program/Report in SAP?

I did suggested to put on a trace and run each Transaction Code and find the Authorization Group, however this is time consuming. Looking for an alternative.

Please help on this.

Regards

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

3 Answers

  • Best Answer
    Posted on Sep 05, 2013 at 06:03 AM

    Hi Security 13 Team

    You can obtain some of the transaction to S_TABU_DIS mapping where the transaction code is an SM30/31/34 call

    To do this, you can go to table TSTCP in ALV mode and filter for PARAM contains '/*SM3*'. Within the PARAM results you can locate the tables/views/etc and then go to table TDDAT to look up the table to auth group mapping.

    This will not give you transactions where the program contains a call for S_TABU_DIS. You might be able to look at SU24 data (USOBT_C and USOBX_C) to see if there are any proposals.

    After that you may need to look at testing each transaction in the roles and mapping them out - back to your comment about testing/tracing each transaction.

    As another consideration, if you are being asked to lock down S_TABU_DIS you should also consider removing it as much as possibly and granting S_TABU_NAM to the specific table instead.

    Mess in a system is always time consuming to clean up.

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Sep 04, 2013 at 06:52 PM

    Hello,

    In the standard menu,

    you can see this menu. so that you could use various information from flexible combination input.

    Thanks.


    Role_Menu.JPG (62.5 kB)
    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Sep 05, 2013 at 09:53 AM

    Hi,

    To check, the previous values and update the new values for the auth.obj ' S_TABU_DIS ' in the roles, please try these steps

    Goto SUIM -->Roles-->By Authorization values -->entry auth object (S_TABU_DIS) and click on entry values. You shall be asked to enter ACTVT values and also the AUTH group. Enter the relevant ones and ..once you see the roles, double click on any of the role and modify the auth object values with the new values. Hope this helps.

    Mj

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.