on 05-16-2014 7:58 AM
How to find out which users use some specific transactions with some specific activities?
Dear All,
Due to internal authorization audits I have the following problem.
I need a flat list of users which have rights on specific transaction with specific activites.
Specification
List of transaction of interest (sample):
F150 Dunning Run
FB01 Post Document
FB05 Post with Clearing
FB50 G/L Acct Pstg: Single Screen Trans.
FB60 Enter Incoming Invoices
FB70 Enter Outgoing Invoices
FD32 Change Customer Credit Management
FK01 Create Vendor (Accounting)
FK02 Change Vendor (Accounting)
MB1A Goods Withdrawal
ME11 Create Purchasing Info Record
ME12 Change Purchasing Info Record
ME21N Create Purchase Order
ME22N Change Purchase Order
MEKB Conditions by Contract
MEKC Conditions by Info Record
MEKE Conditions for Vendor
List of activities (ACTVT) which the user needs:
01 Create or generate
02 Change
10 Post
76 Enter
82 Supplement
A2 Pay
A8 Process mass data
C5 Reopen
C8 Confirm change
G2 Billing
Result
The result should be a list like this:
UNAME TCD
---------------
AA F150
AA FB01
BB F150
BB FB05
CC ME11
CC ME12
CC ME21N
CC ME22N
The output should picture the result of the users real authorization.
I.e. the User AA has rights on TCode F150 with one of the activities listed in activity list.
I have already worked days and hours in this problem and did not find any proper solution.
Any hints and comments are very appreciated.
By the way. I did a lot of programming and selects on tables:
AGR_1251
TACTT
AGR_USERS
USOBX
USR02
USR04
Regards,
M.
Hello Markus,
You can find out the Tcodes accessed by the users under Tcode ST03N.If you don't have access to this Tcode, you can reach out to Basis person.who can help on this.
Required Steps would be:-
1)Execute TCODE: ST03N
2) Click "Expert mode" button
3) Select the required date or date range for which you want data.Select the "User and Settlement Statistics" and click on the "User Profile"
4) Select "Task Type" and "DIALOG" option
5) The list of users will be displayed. Double click on the relevant user to display TCODE access by them
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Then you really should be looking at SAP's GRC products. That's what they do. Of course you could write something custom to do the same thing, but you have already found out it isn't a simple as it appears. And each time you are audited you'll have to prove that your in-house tools work properly and can be trusted.
A GRC project is a big project, but the largest part of it isn't getting the software installed and configured - it is getting the rules agreed and then changing everyone's access to fit with the rules. You'll have than part even if you implement your own tools.
Steve.
You wasted a lot of time... **** happens if you don't search
What you are looking for is report RSUSR008_009_NEW and / or SAP GRC which contains default content as a rule set.
Cheers,
Julius
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Schöne guete Morge Julius
Kei angscht, ich han kei Ziit verschwendet und bi au scho uf RSUSR008_009_NEW und S_BCE_68002111 choo, aber jetzt wiiter in englisch für üsi Kollege.
---
Dear Julius,
Many thanks for your hint. But I found already report RSUSR008_009_NEW and transaction S_BCE_68002111.
But unfortunately there are 2 hindering factors:
a) To set up a clean base for this analyizing tool set we need some more time and knowledge.
b) SAP itself says there are some incorrect results for roles. See http://search.sap.com/ui/notes?id=0001888266
(The problem is, at the moment we cannot /do not want to install those corrections, according to my Basis collegue.)
As fas as I know about TCD S_BCE_68002111, this could/would be of great help.
Do you have or do you know some more tutorials or tranining material about transaction S_BCE_68002111? Any help will be appreciated.
Regards,
Markus
Yes, rsusr008_009_new is something for "gadget guys" who want to build their own sets and know what to look for. It is a labour of love but then works fine.
With GRC you get the full monty out of the box and only need to tune / mitigate rulesets to meet your needs. "Only" might however be an understatement as you can have months and months of endless meetings if you decide that the business system owners are the owners of the rulesets... 🙂
Cheers,
Julius
You will have to talk to your SAP account manager about licensing SAP GRC and can use the dead possum strategy at year end if your license model is not an "eat as much as you like" variant... (little tip...)
But as Steve mentioned, it is a project and not an install shield with a "adjust automatically" button to click on.
A good design in the first place opens options to easily analyse and correct problems in scalable ways -> Su24 based authorizations with where-used references. Then you know what you are doing from a concept perspective and individual role maintenance perspective.
Perhaps you have built value based enabler roles (may the flees of a thousand camels infest their armpits) and have lost that connection?
Cheers,
Julius
You have to check in SUIM but I dont think, you would be having authorisation to this transaction. Only Security team can have authorization to this
G. Lakshmipathi
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Markus,
Unfortunately there is no ready solution for the same, you will have to do it manually to get the list in expected format.
The best deal for you is to use SUIM with the same limited options and get the list in excel, check with your abaper if you can input the search criteria through SAP script and output it to excel. (Step repeat for different inputs)
The second solution to use SAP query on AGR_USERS and AGR_1251 and get the result to excel and modify.
Hope it helps you to achieve your target.
BR,
Mangesh
I've suggested to moderators to move this to the Security forum since this seems to be not an ABAP question. The original post is a bit confusing though because having authorization and actually using it are two different things. You might want to clarify what you're looking for exactly and for what reason.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Marcus,
I think suim transaction may fit you needs, did you try it?
Enter suim and on the menu path choose "User->Users by Complex Selection Criteria->Users by Complex Selection Criteria". On this screen enter "s_tcode" for "Authorization object 1", then press "Enter". Enter a tcode for value and execute. You will see the list of users who have authorization for the related tcode.
I have not a suggetion for the activity issue but I hope this may light your way to solution.
Regards,
Emrah.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Emrah,
Dear Klaus,
Many thanks for help.
For sure we know SUIM in many aspects.
But I cannot send it on the road with 50 transactions and I do not know with which authorization objects ...
Again the question:
Which users are authorized to use transacition XX with ACTVT = 01 or 02.
Yours,
Markus
Hi Markus,
you can't combine transactions and activities without checking authority objects.
In FB01 you will have several authority-checks for the same activity, for example:
AUTHORITY-CHECK OBJECT 'F_FAGL_SEG'
ID 'SEGMENT' FIELD LD_SEGMENT
ID 'GLRRCTY' FIELD I_RRCTY
ID 'ACTVT' FIELD I_ACTVT.
AUTHORITY-CHECK OBJECT 'F_BKPF_BLA'
ID 'ACTVT' FIELD I_ACTVT
ID 'BRGRU' FIELD I_BEGRU.
AUTHORITY-CHECK OBJECT 'F_BKPF_GSB'
ID 'ACTVT' FIELD i_actvt
ID 'GSBER' FIELD i_gsber.
AUTHORITY-CHECK OBJECT CHAR(10)
ID 'ACTVT' FIELD I_ACTVT
ID 'BRGRU' FIELD I_BEGRU.
AUTHORITY-CHECK OBJECT 'F_BKPF_KOA'
ID 'ACTVT' FIELD I_ACTVT
ID 'KOART' FIELD I_KOART.
AUTHORITY-CHECK OBJECT 'F_FAGL_LDR'
ID 'BUKRS' FIELD i_bukrs
ID 'GLRLDNR' FIELD ld_ledger
ID 'GLRRCTY' FIELD i_rrcty
ID 'GLRVERS' FIELD i_rvers
ID 'ACTVT' FIELD i_actvt.
AUTHORITY-CHECK OBJECT f_bkpf_buk
ID 'ACTVT' FIELD act_hinz
ID 'BUKRS' FIELD bkpf-bukrs.
They may all be processes for tcode FB01 and activity '01'. You need to have authorities on this activity for company code, account, ledger, business area and many more.
If you have authority for activity 01 for FB01 for all business areas, but for no company code, then you still can't use FB01.
Regards,
Klaus
User | Count |
---|---|
99 | |
11 | |
11 | |
6 | |
6 | |
4 | |
4 | |
3 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.