01-05-2009 7:03 PM
Hi Friends
I am not sure if you have come across this issue. When I make some changes in CUA regarding a user, in the field "Last changed by" field below the user, it does not show my name after i save it.
When i come out from SU01 and login back and check the user, still " Last changed by" does not show my name even if I was the last person who modified the user. It shows some other persons name. Don't know if there is some kind of a lock which needs to be resetted?
Any ideas?
01-05-2009 7:23 PM
Is this in the CUA master or a child system. The CUA change records in a child system will be under the name of the system user which processed the IDOC
01-05-2009 9:56 PM
> Is this in the CUA master or a child system. The CUA change records in a child system will be under the name of the system user which processed the IDOC
In addition to this, role assignments for child systems are appearently not considered to be changes to the user in the master system. Puzzled me too in the beginning,.....
01-06-2009 10:45 AM
01-10-2009 4:09 AM
If you use trusted RFC connections and select "Current User" for authentication the change will show your ID or that of the person who made the change. We had initially set up our CUA landscapes without the trusted connections. Therefore when we were looking for who made a change we would find CUA_S31_100 for the user making the change.
Now that we have switched to trusted connections, it will show for example E0066332 the user ID of the current user. For this to work properly the user must have the *_TRUSTED_RFC role assigned to them.
Hope this helps
Todd
01-11-2009 2:57 AM
Hi Todd
This is an interesting approach - auditors do have issues with this annoying audit gap in CUA.
I have known some companies to disconnect the production system from CUA for this very reason.
But I don't think this is fool proof solution because it will only work only if the user has your *_trusted_rfc role.
For this to work properly the user must have the *_TRUSTED_RFC role assigned to them.
So there is still a risk that changes will not be captured if someone makes an incorrect role assignment or if some idocs fail to go through.
Regards
Charmaine
01-11-2009 11:13 AM
> or if some idocs fail to go through.
And that brings along the problem that all changes in the children get the changed-by-name of the person who (re-)distributes the idocs rather than the one actually making the changes.........
01-11-2009 7:42 PM
Hi Charmaine-
Yes you are correct that it requires the user to have our *_TRUSTED_RFC role. However ensuring the appropriate personnel have this role assigned was part of my security design so it was included.
It isn't foolproof, it isn't the best way but at least for our implementation it is one of our tools to satisfy our auditors. Now, if I could get the CRMD_UI_ROLE_ASSIGN job to run on my child systems when CUA is connected I would be happy.
Todd
01-11-2009 7:46 PM
Jurjen-
If I make a change via CUA, say creating a user, the iDOC is sent out and viewable via SCUL. Therefore the iDOC for the change is tied to who made the change. Otherwise I could log into CUA and make a change and then distribute those iDOCS under another user's login ID. That to me would pose a serious security flaw and risk as change docs, audit logs and such would be totally inaccurate. So I have to disagree and say the user who makes the change will be reflected in the iDOCS.
Todd
01-11-2009 8:33 PM
> So I have to disagree and say the user who makes the change will be reflected in the iDOCS.
I was referring to SAP note 898213 which states:
However, it can sometimes happen that:
- You need to temporarily switch to background mode
- another administrator starts the distribution again by using Transaction SCUL without actually changing the data
- the tRFC queue overflows and the IDocs are therefore transferred by background job
- IDocs in the child system are not updated in the original sequence
In these cases, the user specifications are incorrect in the change
documents.
01-11-2009 10:27 PM
Hi Todd
And that brings along the problem that all changes in the children get the changed-by-name of the person who (re-)distributes the idocs rather than the one actually making the changes.........
I think what Jurjen means is that if idocs fail, any user can go into BD87 subject to authorisation of course, and push the failed idocs through to the child systems - the changed by field would show the user id of the user who pushed the idocs through and not the user id of the user who made the change in the first instance.
Regards
Charmaine
01-11-2009 10:39 PM
Hi Todd
However ensuring the appropriate personnel have this role assigned was part of my security design so it was included.
I would have assumed that you would have assigned this role to all users and not just to a subset. Does it really make sense tracking role changes for a selected group of users?
Charmaine
01-11-2009 11:34 PM
Two points:
Jurjen, I stand corrected - you make a good point and you are correct. I had a situation where management was looking for the cause of a change in the system which caused significant problems. The person listed as initiating the change was not the person who made it, but the person who manually distributed users via SCUL/Systems. So, he was listed as the person responsible but it had been another user who had changed the authorizations.
Charmaine, the Security and Basis teams received *_TRUSTED_RFC.
Regards,
Todd
01-11-2009 11:50 PM
> ... the Security and Basis teams received *_TRUSTED_RFC.
That still does not say much about the user context, necessarily.
Which values do you have for S_RFCACL fields?
Cheers,
Julius
01-12-2009 1:29 AM
Sorry Julius, let me skip your question before I forget my thought here. Would it be possible to use either SE16N_CD_DATA or SE16N_CD_KEY report to view the exact table change for the user who performed the action through CUA? If possible would that bypass the person who distributed the IDOC and reflect the initial table change?
Just a thought.....
01-12-2009 1:33 AM
Ok Julius here are the settings:
RFC_SYSID: SM1
RFC_CLIENT: 070
RFC_USER: E00*
RFC_EQUSER: N
RFC_TCODE: *
RFC_INFO: *
ACTVT: 16
01-12-2009 7:18 AM
Using SE16N change docs: Those documents are only written when a special editing mode is used which is the equivalent to debugging system programs in change mode. The same user to be able to make the change, would be able to hobble your entire application security concept completely.
=> not a good idea.
Using Trusted RFC: This can be a good approach, but you need to be carefull. Field ID "RFC_EQUSER is dangerous, because the users can logon as each other (or the system will do it for them). Using remote programmatic logons in other user's contexts to get change documents to reflect what appears to be the correct name in a target system is in my opinion not a good design. Much too complicated and error prone. Also, the tcode is not restricted and the name suggests a SolMan system, so there is probably much more than just CUA available to remotely pretend to be or accidentally be someone else's ID. Personally, I would rather accept the change logs in the SYSTEM user's name, and want to control the security and change logs in the source system.
=> What is "RFC_EQUSER: N" needed for the "E00*" users?
Cheers,
Julius
Edited by: Julius Bussche on Jan 12, 2009 8:18 AM
01-11-2009 12:21 AM
we can see immediate change in the "last changed by" was when we change the password for any user in CUA master system and for the master system