Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

find authorization object value for user

Former Member
0 Kudos

Hello Friends,

Do you know of any Function module or transaction that tells if a particular user has authorization to a given authorization object?

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Please Try table TOBJ - you can see User id & Auth Objects. hope this helps you

24 REPLIES 24

Former Member
0 Kudos

SU53 will tell you if an authorization check has failed for a user... also which values exist in the user's role for the failed object (if any).

Other than that, report RSUSR002 (reachable via transaction SUIM) is a good candidate.

0 Kudos

Hi,

i want to know that how many unique objects are assign to particular user along with field value in that object. It is for to find out the exccess authorization assign to that user with values.

0 Kudos

Take a look at report RSUSR008_009_NEW.

Other options are the GRC products.

Cheers,

Julius

0 Kudos

Hi,

i dont have GRC or any other tool. i wanted to do it from sap level or from any ABAP program

0 Kudos

The first report I mentioned is an ABAP report tool included in the standard system.

Cheers,

Julius

0 Kudos

it is not working in my SAP system(4.6 B) and RSUSR008 is for to check transaction combination critical for security

0 Kudos

Like Trond pointed out - use transaction S_BCE_68001397.

You can access it from transaction (actually a menu) SUIM.

Navigation path under SUIM:

/User/Users by Complex Selection Criteria/By Authorization Values

This will let You enter the authorization object and specify authorization values for the object (if you want to).

Another candidate is S_BCE_68001396. The navigation path is the same, the selection is simplified to auth. object only.

Both transactions are just different variants of the same program - RSUSR002.

(Learn SUIM, it's any user admin's bestest friend.)

If you don't mind, could you please explain what are You going to use this information for? It would be a shame if you'd misinterpret the results you get from either transaction.

0 Kudos

>

> it is not working in my SAP system(4.6 B) and RSUSR008 is for to check transaction combination critical for security

You could have mentioned that earlier...

0 Kudos

Sorry i didnt mentioned it earlier and thanks for your reply

0 Kudos

I don't know which SP level you are on for your 46B system, but there were a number of bugs in the SUIM area which have since been solved.

Good luck,

Julius

0 Kudos

Juluius !

Just---I am simply spellound by the wealth of info you possess ..and how easliy you pull it out for the benefit of other mortals ! I hope you would not delete this post as somthing thats not realted to this question !!

0 Kudos

Hi Martinsh,

thanks for your reply. I am doing internal audit for our SAP system. for that i wanted to take out report of exccess authorization.It is for every users at assign object level with allowed activity values and then wants to compare it with permitted values(SOD). Generally all this activity is done by some tools (approvan, BIZview etc) available in market.

Regards

Koushal

0 Kudos

The catch word here is 'Excess Authorization" its for you to tell what ' excess authorization " is for your organization.

May be SAP_ALL woudl be a good stratign point

0 Kudos

Not sure if this is what you wanted, but I would agree with George here: You need to get a minimum baseline in place for the various types of users, before you start analyzing their SoDs - otherwise you will just break your head trying to work at it.

On 46B (out of support) you might only need only to work on it to get that right, but you can still do a decent job of it if you get the baseline right first

Cheers,

Julius

Former Member
0 Kudos

Please Try table TOBJ - you can see User id & Auth Objects. hope this helps you

0 Kudos

>

> Please Try table TOBJ - you can see User id & Auth Objects. hope this helps you

???

0 Kudos

Dear friends thanks for your valuable reply

table TOBJ only gives authorizaion object in SAP level, it will not give object assign to user and values.

by the help of SU56 Tcode we can find authorization object assign to user with values but it is not in consolidate form. to get into consolidate form we wil need to create ABAP program.

Regards

Koushal

0 Kudos

> by the help of SU56 Tcode we can find authorization object assign to user with values but it is not in consolidate form. to get into consolidate form we wil need to create ABAP program.

You can also have a look at SAPquery and/or the quickviewer SQVI. If your user comparison is up to date a join on tables AGR_USERS and AGR_1521 may help you get the information you want.

0 Kudos

AGR_USERS only give roles assign to user or vice versa that can also be find from complex selection in SUIM

0 Kudos

> AGR_USERS only give roles assign to user or vice versa

Yes, and if you join that table with AGR_1251 on AGR_NAME you will find the objects per role and their field values (non-organizational).

> by the help of SU56 Tcode we can find authorization object assign to user with values but it is not in consolidate form. to get into consolidate form we wil need to create ABAP program.

I think you will meet some challenges when trying to do this...

Keep us posted on the progress please.

Cheers,

Julius

Former Member
0 Kudos

Can anybody please guide me how to create a report :-I need to find the users who have access to various critical transactions(around 40 critical transactions).Right now i go to suim>users by complex selection criteria>type the autho objects>type the field activity(since i do not want users who have display only access)>and execute.i want to create such a report for 40 critical transactions so that i can run it each month.my abaper has some technical issues with this.somebody plzzz help!!

really appreciate your help on this!

0 Kudos

Hi Garima,

i am giving you one example how you can check for critical TCODE.

SAP R/3 restricts to authorized personnel the ability to directly modify tables.

For sample Client - Dependent Tables:

Execute T-code <<SUIM>> -

Select User - Select Users by Complex Selection Criteria

Again, Select Users by Complex Selection Criteria.

Perform the following Authorization Object checks:

Key in Authorization object 1 as <<S_TCODE>>, click Entry Value, key in Tcode value as <<SM30>>, key in Authorization object 2 as <<S_TABU_DIS>>, click Entry Value, key-in 'Activity' value as <<02>> and 'Authorization Group' value as <<*>> (for all/ any).

Press F8 (Execute).

Replace 'Authorization Group' value <<*>> with <<SS>> and/ <<SC>> with all details remaining the same.

Repeat the above step by replacing <<SM30>> with <<SM31>> with all details remaining the same.

Regards,

koushal Solanki

0 Kudos

You don't need an ABAPer for this. Take a look at the report I have mentioned above (RSUSR009 and in later releases RSUSR008_009_NEW). You can create your own critical rules there and check them.

Cheers,

Julius