Skip to Content
avatar image
Former Member

To Find Users with critical authorization

Hello Gurus,

I am trying to retrieve users with critical authorization from SUIM transaction. The System is SAP R/3 4.6B.

For eg. To find Users with access to transaction SU01. Here is the search criteria: Based on Auth objects S_USER_AUT and S_USER_PRO with activity 01 or 02, the roles were extracted. Then Users assigned to that role are found.

Similarly, To find users with access to transaction SCC4.

Object Retrieved through S_TCODE with SCC4 and S_TABU_CLI with 'X' and S_TABU_DIS with activity 01 or 02 ,group 'ss'.

To find users with access to migrate transport to Production:

S_TRansport with 01 or 02 and 60 or 05

Is this the right way or what other search criteria i could use? Please help. It is kind of urgent.

Any help will be appreciated with Points.

Thanks.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • avatar image
    Former Member
    Oct 18, 2006 at 03:45 PM

    Some comments which might help:

    1) Be carefull In 46B... the SUIM reports have many errors. Make sure you have the various SAP notes installed (at least those for which 46B is still supported) otherwise chances are good that you will get a nonsense result for your search.

    2) Do not include S_TCODE (e.g. = SU01 or SCC4) in the search for critical authorizations. If something is critical, you should not care how the user gets there.

    3) For user / authorization management check also object S_USER_GRP and how-to-remove-the-tcode-su01-from-sap-menu-for-a-r for more objects and activities.

    For client maintenance you might also want to check whether table T000 actually has the authorization group 'SS' (table TDDAT field CLASS). Do not include SCC4 in the search.

    For the transport management system, S_TRANSPRT is a good start. There are also more critical things here than just the user authorizations to create / release / import transports.

    If you want to check up on objects and what the various fields and activities are documented to do, I recommend transaction SU21.

    Good luck!

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 18, 2006 at 07:04 PM

    from se38 use report RSUSR008

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Sorry to disagree with you Siva, but rsusr008 is about as usefull as a thermometer to find critical authorizations in SAP.

      At release 46B, it is about as usefull as a thermometer filled with glue instead of mercury.

      Forget about transaction codes when evaluating authorizations required for functionality which you consider to be critical.

  • avatar image
    Former Member
    Dec 19, 2006 at 03:36 PM

    Completed task with help/comments from post

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Dec 20, 2006 at 07:17 AM

    Hi,

    my suggestion is that go from bottom up approach.

    1)first list out the critical Auth Objects which are critical to your scenario(for eg S_TABU_DIS, S_DEVELOP,S_PROGRAM, S_ADMI_FCD, S_TRNSPRT, S_CTS_ADMI to name a few)

    2) Then see who has the ACTVT field 01,02, 06 which might be risky, you might need to consider 03 for S_TABU_DIS also critical when it refers to HR tables.

    3) then find the tcodes in the roles associated to that role which might use this access at Auth Obj.

    4) And finally always depend on direct table data (SE16) for analysis rather than SUIM which might be error prone.

    The tables which you can look for are AGR_1251 for getting critical Auth Objects and then the tcodes if you search with S_TCODE Auth Obj.

    The above could be a way of doing it not necessary that this should be the only way, if you have other options which might give you results with significant level of accuracy and reliability then u can afford them too.

    Regards,

    Manohar

    Add comment
    10|10000 characters needed characters exceeded