cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Authorization: How to find out which users use some specific transactions with some specific activities?

former_member399530
Explorer

on ‎05-16-2014 7:58 AM

0 Kudos

How to find out which users use some specific transactions with some specific activities?

Dear All,

Due to internal authorization audits I have the following problem.

I need a flat list of users which have rights on specific transaction with specific activites.

Specification


List of transaction of interest (sample):

F150 Dunning Run
FB01 Post Document
FB05 Post with Clearing
FB50 G/L Acct Pstg: Single Screen Trans.
FB60 Enter Incoming Invoices
FB70 Enter Outgoing Invoices
FD32 Change Customer Credit Management
FK01 Create Vendor (Accounting)
FK02 Change Vendor (Accounting)
MB1A Goods Withdrawal
ME11 Create Purchasing Info Record
ME12 Change Purchasing Info Record
ME21N Create Purchase Order
ME22N Change Purchase Order
MEKB Conditions by Contract
MEKC Conditions by Info Record
MEKE Conditions for Vendor

List of activities (ACTVT) which the user needs:

01 Create or generate
02 Change
10 Post
76 Enter
82 Supplement
A2 Pay
A8 Process mass data
C5 Reopen
C8 Confirm change
G2 Billing

Result


The result should be a list like this:

UNAME   TCD
---------------
AA      F150
AA      FB01
BB      F150
BB      FB05
CC      ME11
CC      ME12
CC      ME21N
CC      ME22N 


The output should picture the result of the users real authorization.
I.e. the User AA has rights on TCode F150 with one of the activities listed in activity list.

I have already worked days and hours in this problem and did not find any proper solution.

Any hints and comments are very appreciated.

By the way. I did a lot of programming and selects on tables:
AGR_1251
TACTT
AGR_USERS
USOBX
USR02
USR04

Regards,

M.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (5)

Answers (5)

Former Member
‎05-20-2014 11:29 AM
0 Kudos

Hello Markus,

You can find out the Tcodes accessed by the users under Tcode ST03N.If you don't have access to this Tcode, you can reach out to Basis person.who can help on this.

Required Steps would be:-

1)Execute TCODE: ST03N

2) Click "Expert mode" button

3) Select the required date or date range for which you want data.Select the "User and Settlement Statistics" and click on the "User Profile"

4) Select "Task Type" and "DIALOG" option

5) The list of users will be displayed. Double click on the relevant user to display TCODE access by them

Show replies
Show replies
former_member399530
Explorer
‎05-20-2014 2:38 PM
0 Kudos

Hy Paridhi,

Many thanks for reply.

Yes, we saw ST03N. But this transaction does analyzing on historical data, i.e. "what happens".

But we look for a tool set to find out "what could happen", based on users roles and authorizations.

Yours,

Markus

Former Member
‎05-20-2014 3:02 PM
0 Kudos

Then you really should be looking at SAP's GRC products. That's what they do. Of course you could write something custom to do the same thing, but you have already found out it isn't a simple as it appears. And each time you are audited you'll have to prove that your in-house tools work properly and can be trusted.

A GRC project is a big project, but the largest part of it isn't getting the software installed and configured - it is getting the rules agreed and then changing everyone's access to fit with the rules. You'll have than part even if you implement your own tools.

Steve.

Former Member
‎05-19-2014 9:31 PM
0 Kudos

You wasted a lot of time... **** happens if you don't search

What you are looking for is report RSUSR008_009_NEW and / or SAP GRC which contains default content as a rule set.

Cheers,

Julius

Show replies
Show replies
former_member399530
Explorer
‎05-20-2014 6:40 AM
0 Kudos

Schöne guete Morge Julius

Kei angscht, ich han kei Ziit verschwendet und bi au scho uf RSUSR008_009_NEW und S_BCE_68002111 choo, aber jetzt wiiter in englisch für üsi Kollege.

---

Dear Julius,

Many thanks for your hint. But I found already report RSUSR008_009_NEW and transaction S_BCE_68002111.

But unfortunately there are 2 hindering factors:

a) To set up a clean base for this analyizing tool set we need some more time and knowledge.

b) SAP itself says there are some incorrect results for roles. See http://search.sap.com/ui/notes?id=0001888266
(The problem is, at the moment we cannot /do not want to install those corrections, according to my Basis collegue.)

As fas as I know about TCD S_BCE_68002111, this could/would be of great help.

Do you have or do you know some more tutorials or tranining material about transaction S_BCE_68002111? Any help will be appreciated.

Regards,

Markus

Former Member
‎05-20-2014 11:58 AM
0 Kudos

Yes, rsusr008_009_new is something for "gadget guys" who want to build their own sets and know what to look for. It is a labour of love but then works fine.

With GRC you get the full monty out of the box and only need to tune / mitigate rulesets to meet your needs. "Only" might however be an understatement as you can have months and months of endless meetings if you decide that the business system owners are the owners of the rulesets...  🙂

Cheers,

Julius

former_member399530
Explorer
‎05-20-2014 2:32 PM
0 Kudos

I assume that the full monty (i.e. GRC suite/package/whatever) will not be a free goody, and not without consultants costs, right?

M.

Former Member
‎05-20-2014 11:42 PM
0 Kudos

You will have to talk to your SAP account manager about licensing SAP GRC and can use the dead possum strategy at year end if your license model is not an "eat as much as you like" variant... (little tip...)

But as Steve mentioned, it is a project and not an install shield with a "adjust automatically" button to click on.

A good design in the first place opens options to easily analyse and correct problems in scalable ways -> Su24 based authorizations with where-used references. Then you know what you are doing from a concept perspective and individual role maintenance perspective.

Perhaps you have built value based enabler roles (may the flees of a thousand camels infest their armpits) and have lost that connection?

Cheers,

Julius

Lakshmipathi
Active Contributor
‎05-17-2014 7:09 AM
0 Kudos

You have to check in SUIM but I dont think, you would be having authorisation to this transaction.  Only Security team can have authorization to this

G. Lakshmipathi

Show replies
Show replies
Former Member
‎05-19-2014 6:21 AM
0 Kudos

Hi Markus,

Unfortunately there is no ready solution for the same, you will have to do it manually to get the list in expected format.

The best deal for you is to use SUIM with the same limited options and get the list in excel, check with your abaper if you can input the search criteria through SAP script and output it to excel. (Step repeat for different inputs)

The second solution to use SAP query on AGR_USERS and AGR_1251 and get the result to excel and modify.

Hope it helps you to achieve your target.

BR,

Mangesh

Jelena
Active Contributor
‎05-16-2014 8:01 PM
0 Kudos

I've suggested to moderators to move this to the Security forum since this seems to be not an ABAP question. The original post is a bit confusing though because having authorization and actually using it are two different things. You might want to clarify what you're looking for exactly and for what reason.

Show replies
Show replies
former_member239412
Discoverer
‎05-16-2014 8:41 AM
0 Kudos

Hi Marcus,

I think suim transaction may fit you needs, did you try it?

Enter suim and on the menu path choose "User->Users by Complex Selection Criteria->Users by Complex Selection Criteria". On this screen enter "s_tcode" for "Authorization object 1", then press "Enter". Enter a tcode for value and execute. You will see the list of users who have authorization for the related tcode.

I have not a suggetion for the activity issue but I hope this may light your way to solution.

Regards,

Emrah.

Show replies
Show replies
former_member195402
Active Contributor
‎05-16-2014 8:59 AM
0 Kudos

Hi Markus,

Emrah is right, and please use the feature to combine up to three authority objects with all field value selections to get your desired output.

So you can combine authority objects S_TCODE for example with F_BKPF_BLA and F_BKPF_GSB.

Regards,

Klaus

former_member399530
Explorer
‎05-16-2014 9:42 AM
0 Kudos

Dear Emrah,

Dear Klaus,

Many thanks for help.

For sure we know SUIM in many aspects.

But I cannot send it on the road with 50 transactions and I do not know with which authorization objects ...

Again the question:

Which users are authorized to use transacition XX with ACTVT = 01 or 02.

Yours,

Markus

former_member195402
Active Contributor
‎05-19-2014 6:04 AM
0 Kudos

Hi Markus,

you can't combine transactions and activities without checking authority objects.

In FB01 you will have several authority-checks for the same activity, for example:

    AUTHORITY-CHECK OBJECT 'F_FAGL_SEG'

            ID 'SEGMENT' FIELD LD_SEGMENT

            ID 'GLRRCTY' FIELD I_RRCTY

            ID 'ACTVT' FIELD I_ACTVT.

    AUTHORITY-CHECK OBJECT 'F_BKPF_BLA'

      ID 'ACTVT' FIELD I_ACTVT

      ID 'BRGRU' FIELD I_BEGRU.

    AUTHORITY-CHECK OBJECT 'F_BKPF_GSB'

      ID 'ACTVT' FIELD i_actvt

      ID 'GSBER' FIELD i_gsber.

    AUTHORITY-CHECK OBJECT CHAR(10)

      ID 'ACTVT' FIELD I_ACTVT

      ID 'BRGRU' FIELD I_BEGRU.

    AUTHORITY-CHECK OBJECT 'F_BKPF_KOA'

      ID 'ACTVT' FIELD I_ACTVT

      ID 'KOART' FIELD I_KOART.

          AUTHORITY-CHECK OBJECT 'F_FAGL_LDR'

                   ID 'BUKRS' FIELD i_bukrs

                   ID 'GLRLDNR' FIELD ld_ledger

                   ID 'GLRRCTY' FIELD i_rrcty

                   ID 'GLRVERS' FIELD i_rvers

                   ID 'ACTVT' FIELD i_actvt.

    AUTHORITY-CHECK OBJECT f_bkpf_buk

      ID 'ACTVT' FIELD act_hinz

      ID 'BUKRS' FIELD bkpf-bukrs.

They may all be processes for tcode FB01 and activity '01'. You need to have authorities on this activity for company code, account, ledger, business area and many more.

If you have authority for activity 01 for FB01 for all business areas, but for no company code, then you still can't use FB01.

Regards,

Klaus

Ask a Question