01-29-2008 5:44 PM
hi, i am new in sap security so i am very confused with object relation with tcodes. like when we give su01 tcode in pfcg then in profile generator we hav to give activities for that role like for su01 in which object we will hav to give activities like create,change, delete, display for that role only? how can we find out which object reflects that particular tcode?
like another example in se38 if i want to restrict a user for change option and allow only display option then in profile generator how can i find out under which object activity does it works?
like i tell earlier im new in this field so please help me out from this confusion.
Thanks
Jimmy Batra
01-29-2008 5:59 PM
To find objects for a particular tcode
Go to SE16/SE16N-->Type USOBT_C--> Type in tcode and execute, you will get all auth objects associated with it.
Edited by: SG on Jan 29, 2008 7:02 PM
01-29-2008 6:37 PM
Hi Jimmy,
Your last post (which you closed) gave you the info on how to do this. Why create another post for it?
01-30-2008 2:13 AM
hi alex,
i didnt get the perfect picture about how to identify the object name which makes actual effect like for example in pfcg when i give tcode su01 then in profile generator it generates 5 objects like (s_user_agr, s_user_aut,s_user_grp,s_user_pro,s_user_sas) right. then if i want to restrict that role to access change activity then in which object i hav to maintain this activity or i hav to maintain this thing in all objects related to it, thats my main problem which i want to ask!
thanks
jimmy.
01-30-2008 2:36 AM
01-30-2008 3:02 AM
thanks for reply Pinkle, but my ques is from where we identify that particular object we hav to modify like in su01 we hav to maintain s_user_agr object.
01-30-2008 3:24 AM
Sorry I misunderstood your question.
But there is no easy way to find the authorization object used for particular transaction unless you debug the program.
Generally it is mention in the documentation of that particular functionality.
For example if you want to find out the authorization objects checked in pfcg then you need to go through the following document http://help.sap.com/saphelp_nw70/helpdata/en/ce/17533e5ff4d064e10000000a114084/frameset.htm and set the activity based on your requirement.
Same for function transactions, either you need to find the related document or need to consult the functional consultant to get the required value for that particular object.
Hope this will help.
-Pinkle
01-30-2008 4:27 AM
yes, Pinkle this helps me a lot, thanks a lot
can u tell me the perfect way to search documentation regarding particular tcode?
01-30-2008 4:50 AM
Hi Jimmy,
Please note that not all transaction code has authorization object documented.
If I were in your place then I just put the tcode in pfcg and ask function team for relevant values.
-Pinkle
01-30-2008 4:58 AM
oh ok, you mean in profile generator we have to ask related functional person about objects name and activities they want to give on those objects. right?
01-30-2008 5:03 AM
01-30-2008 5:09 AM
01-30-2008 6:42 AM
Mostly the functional consultants will not know the technical names of objects and values, they can only decribe it from a functional point of vue. To translate the functional request in a technical role is the main task of a security consultant. If you do not know how ther are 3 options:
1 read the ABAP code and find the objects/values needed.
2 trace the process (ST01).
3 create test user with first isseu of role assigned and test this (adding all objects and values until it works as requested)
After you have found the right object do not forget to add them via SU24. More info can be found in SAP Security Calss room training and or authorisation made easy book (amazon.com)
Welcome to the world of SAP Security consulting!
01-30-2008 5:08 PM
hi Auke, thanks for reply.
can u give me an example of this process which u listed above like how we can read abap prog of a T-code, n how to identify that object in trace analysis. just one example if possible.
Thanks
Jimmy