Skip to Content

Authorization: How to find out which users use some specific transactions with some specific activities?

How to find out which users use some specific transactions with some specific activities?

Dear All,

Due to internal authorization audits I have the following problem.

I need a flat list of users which have rights on specific transaction with specific activites.

Specification


List of transaction of interest (sample):

F150 Dunning Run
FB01 Post Document
FB05 Post with Clearing
FB50 G/L Acct Pstg: Single Screen Trans.
FB60 Enter Incoming Invoices
FB70 Enter Outgoing Invoices
FD32 Change Customer Credit Management
FK01 Create Vendor (Accounting)
FK02 Change Vendor (Accounting)
MB1A Goods Withdrawal
ME11 Create Purchasing Info Record
ME12 Change Purchasing Info Record
ME21N Create Purchase Order
ME22N Change Purchase Order
MEKB Conditions by Contract
MEKC Conditions by Info Record
MEKE Conditions for Vendor

List of activities (ACTVT) which the user needs:

01 Create or generate
02 Change
10 Post
76 Enter
82 Supplement
A2 Pay
A8 Process mass data
C5 Reopen
C8 Confirm change
G2 Billing

Result


The result should be a list like this:

UNAME TCD
---------------
AA F150
AA FB01
BB F150
BB FB05
CC ME11
CC ME12
CC ME21N
CC ME22N


The output should picture the result of the users real authorization.
I.e. the User AA has rights on TCode F150 with one of the activities listed in activity list.

I have already worked days and hours in this problem and did not find any proper solution.

Any hints and comments are very appreciated.

By the way. I did a lot of programming and selects on tables:
AGR_1251
TACTT
AGR_USERS
USOBX
USR02
USR04

Regards,

M.

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

5 Answers

  • avatar image
    Former Member
    May 19, 2014 at 08:31 PM

    You wasted a lot of time... **** happens if you don't search 😉

    What you are looking for is report RSUSR008_009_NEW and / or SAP GRC which contains default content as a rule set.

    Cheers,

    Julius

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Markus Wilhelm

      You will have to talk to your SAP account manager about licensing SAP GRC and can use the dead possum strategy at year end if your license model is not an "eat as much as you like" variant... (little tip...)

      But as Steve mentioned, it is a project and not an install shield with a "adjust automatically" button to click on.

      A good design in the first place opens options to easily analyse and correct problems in scalable ways -> Su24 based authorizations with where-used references. Then you know what you are doing from a concept perspective and individual role maintenance perspective.

      Perhaps you have built value based enabler roles (may the flees of a thousand camels infest their armpits) and have lost that connection?

      Cheers,

      Julius

  • avatar image
    Former Member
    May 20, 2014 at 10:29 AM

    Hello Markus,

    You can find out the Tcodes accessed by the users under Tcode ST03N.If you don't have access to this Tcode, you can reach out to Basis person.who can help on this.

    Required Steps would be:-

    1)Execute TCODE: ST03N

    2) Click "Expert mode" button

    3) Select the required date or date range for which you want data.Select the "User and Settlement Statistics" and click on the "User Profile"

    4) Select "Task Type" and "DIALOG" option

    5) The list of users will be displayed. Double click on the relevant user to display TCODE access by them

    Add comment
    10|10000 characters needed characters exceeded

    • Then you really should be looking at SAP's GRC products. That's what they do. Of course you could write something custom to do the same thing, but you have already found out it isn't a simple as it appears. And each time you are audited you'll have to prove that your in-house tools work properly and can be trusted.

      A GRC project is a big project, but the largest part of it isn't getting the software installed and configured - it is getting the rules agreed and then changing everyone's access to fit with the rules. You'll have than part even if you implement your own tools.

      Steve.

  • May 16, 2014 at 07:41 AM

    Hi Marcus,

    I think suim transaction may fit you needs, did you try it?

    Enter suim and on the menu path choose "User->Users by Complex Selection Criteria->Users by Complex Selection Criteria". On this screen enter "s_tcode" for "Authorization object 1", then press "Enter". Enter a tcode for value and execute. You will see the list of users who have authorization for the related tcode.

    I have not a suggetion for the activity issue but I hope this may light your way to solution.

    Regards,

    Emrah.

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Markus,

      you can't combine transactions and activities without checking authority objects.

      In FB01 you will have several authority-checks for the same activity, for example:

      AUTHORITY-CHECK OBJECT 'F_FAGL_SEG'

      ID 'SEGMENT' FIELD LD_SEGMENT

      ID 'GLRRCTY' FIELD I_RRCTY

      ID 'ACTVT' FIELD I_ACTVT.

      AUTHORITY-CHECK OBJECT 'F_BKPF_BLA'

      ID 'ACTVT' FIELD I_ACTVT

      ID 'BRGRU' FIELD I_BEGRU.

      AUTHORITY-CHECK OBJECT 'F_BKPF_GSB'

      ID 'ACTVT' FIELD i_actvt

      ID 'GSBER' FIELD i_gsber.

      AUTHORITY-CHECK OBJECT CHAR(10)

      ID 'ACTVT' FIELD I_ACTVT

      ID 'BRGRU' FIELD I_BEGRU.

      AUTHORITY-CHECK OBJECT 'F_BKPF_KOA'

      ID 'ACTVT' FIELD I_ACTVT

      ID 'KOART' FIELD I_KOART.

      AUTHORITY-CHECK OBJECT 'F_FAGL_LDR'

      ID 'BUKRS' FIELD i_bukrs

      ID 'GLRLDNR' FIELD ld_ledger

      ID 'GLRRCTY' FIELD i_rrcty

      ID 'GLRVERS' FIELD i_rvers

      ID 'ACTVT' FIELD i_actvt.

      AUTHORITY-CHECK OBJECT f_bkpf_buk

      ID 'ACTVT' FIELD act_hinz

      ID 'BUKRS' FIELD bkpf-bukrs.

      They may all be processes for tcode FB01 and activity '01'. You need to have authorities on this activity for company code, account, ledger, business area and many more.

      If you have authority for activity 01 for FB01 for all business areas, but for no company code, then you still can't use FB01.

      Regards,

      Klaus

  • May 16, 2014 at 07:01 PM

    I've suggested to moderators to move this to the Security forum since this seems to be not an ABAP question. The original post is a bit confusing though because having authorization and actually using it are two different things. You might want to clarify what you're looking for exactly and for what reason.

    Add comment
    10|10000 characters needed characters exceeded

  • May 17, 2014 at 06:09 AM

    You have to check in SUIM but I dont think, you would be having authorisation to this transaction. Only Security team can have authorization to this 😉

    G. Lakshmipathi

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Markus,

      Unfortunately there is no ready solution for the same, you will have to do it manually to get the list in expected format.

      The best deal for you is to use SUIM with the same limited options and get the list in excel, check with your abaper if you can input the search criteria through SAP script and output it to excel. (Step repeat for different inputs)

      The second solution to use SAP query on AGR_USERS and AGR_1251 and get the result to excel and modify.

      Hope it helps you to achieve your target.

      BR,

      Mangesh