Solved: SUIM results are confusing

Former Member · ‎04-01-2009

Hello Experts,

I dont have much knowledge on security, looking forward to clarify my doubt from your experiences.

We are checking some users based on authrorisation values (combination of two authorisation objects and corresponding values).

1. SUIM -> Where UsedList -> In Users -> Authorisation Object (S_TCODE) with Transaction Code (SU01) -

> gives us list of 62 user id.

2. SUIM -> Where UsedList -> In Users -> Authorisation Object (S_USER_PRO) with Activity(value 22) -

> gives us list of 52 user id.

3. SUIM -> Where UsedList -> In Users -> Authorisation Object (S_TCODE) with Transaction Code (SU01) AND Authorisation Object (S_USER_PRO) with Activity(value 22) -

> gives us list of 82 user id.

So there are around 20 such users reported which were not listed in either of Step 1 or 2.

Results of step 3 are confusing, we are using AND with two authorisation objects, so result should be only those users which are available in both authorisation objects, it should be 52 only (common users in both authorisation objects).

What does AND do when used with more than 1 authorisation objects?

I hope i am able to explain my question, and would really appreciate if you can throw a light on this.

Thanks

Davinder

Former Member · ‎04-01-2009

Which release and support pack level are you on?

Some of the reports in SUIM have been recurringly bugged by logical errors and plagued by complex changes in the tables which the system uses and some potential inconsistencies in them.

If in doubt, use RSUSR002 and do a double check of some samples (or sums of users) against the tables (already indicated above).

Cheers,

Julius

Former Member · ‎04-01-2009

one simple step to be sure:

1)First pull all the roles where these Objects are used

2)Pull out users assigned to these roles

you will get the exact list

Former Member · ‎04-01-2009

Which release and support pack level are you on?

Some of the reports in SUIM have been recurringly bugged by logical errors and plagued by complex changes in the tables which the system uses and some potential inconsistencies in them.

If in doubt, use RSUSR002 and do a double check of some samples (or sums of users) against the tables (already indicated above).

Cheers,

Julius

Former Member · ‎04-01-2009

Hello Julius,

Appreciate your response.

We are on ECC6.0 EHP3 and Basis SP level is 17.

Would appreciate if you can give more details on which all tables are being checked for such kind of SUIM reports, what kind of queries would be generated at database level.

Any pointers on SAP documents/notes would be highly appreciated...

Thanks

Davinder

Former Member · ‎04-01-2009

> We are on ECC6.0 EHP3 and Basis SP level is 17.

Wow! I was expecting 46C

You can check SAP Notes for a new Support Pack, but perhaps the problem is also from earlier client application data. How old is the system and the data in the client?

If you have a reliable test system with the same client data, and can observe the same differences there... then try run function module SUSR_SYNC_USER_TABLES with the TABLE_TYPE parameter = 'X' to clear inconsistencies between the USR and UST tables. There is also a report, but I cannot remember it's name. Do a where-used-lookup on the function. Something like XPRA...

Another possibility is the difference between the Transaction Code selection parameter in the reports and the Object = S_TCODE with TCD value. The former relates to the menu. The latter relates to the real authority.

Cheers,

Julius

Bernhard_SAP · ‎04-02-2009

>


> We are on ECC6.0 EHP3 and Basis SP level is 17.
>

Hi D P,

please implement the following SAP notes, which handle the issues with 'AND' selections:

1244598

(the note text...result list is not complete.... shall be understood as 'too many or less hits'

Also advisable to avoid further surprises:

1273992

1296766

1259329

b.rgds, Bernhard

Former Member · ‎04-02-2009

Thanks Bernhard,

As we are on Basis SP17, we need to apply corrections mentioned in Note 1244598.

But when we do this with SNOTE, it prompts with following message and waiting for the user input.

"Choose Main Program for MS01CW10"

And here is list of programs which have been displayed.

RSUSR002

RSUSR008_009_NEW

RSUSR020

RSUSR030

RSUSR070

SAPLSUPS

SAPLSUSD

So which program i need to choose, and continue.

Thanks

Davinder

Former Member · ‎04-02-2009

it's RSUSR002 you need to select and proceed.

Former Member · ‎04-02-2009

Thanks, i have selected RSUSR002 and everything seems to be working fine now.

Now if run SUIM with AND criteria, it gives me a list of users which are available in both the authorization objects -> acceptable by auditors

Thanks to all of you for your valuable time and sharing experiences...

But there might be few more inconsistencies, which we haven't observed till now.

Our system was upgraded from 4.6C to ECC6.0 (non unicode).

As pointed by Julius -->

**********************************************************************************************************************

perhaps the problem is also from earlier client application data. How old is the system and the data in the client?

If you have a reliable test system with the same client data, and can observe the same differences there... then try run function module SUSR_SYNC_USER_TABLES with the TABLE_TYPE parameter = 'X' to clear inconsistencies between the USR and UST tables. There is also a report, but I cannot remember it's name. Do a where-used-lookup on the function. Something like XPRA...

**********************************************************************************************************************

Can you please inform, how can we the find out data inconsistencies between USR and UST tables.

Thanks

Davinder

Former Member · ‎04-02-2009

Try this in a test client AND system first to see whether you have historical inconsistencies => report RSAUTHXPRA.

Cheers,

Julius

Edited by: Julius Bussche on Apr 3, 2009 1:23 AM

Former Member · ‎04-03-2009

> So which program i need to choose, and continue.

SNOTE will pester you for stuff like this, particularly if you have more than 1 SP level between your current level and the note related level.

Probably SAPLSUSD is the correct one, but what about the others?

It makes sense to patch regularly and remain one level below the current release (let the others to the debugging... and then keep an eye on the related and subsequent notes for "gotchas".

In this case, affecting multiple programs of SUIM, applying an SP instead of a note should be considered as well as the corrections will be consistent an less manual corrections are required.

Side comment: I have worked with HR systems who for customizing (legal related) reasons have to apply SP's. They get used to it and develop processes for it and respect things which should be avoided to make SP's and upgrades less complicated.

My 2 cents,

Julius

Former Member · ‎04-02-2009

Hi,

Try to follow the below path in SUIM

Users by Complex Selection Criteria -- > Users by Complex Selection Criteria --> enter transaction SU01

or

Users by Complex Selection Criteria -- > Users by Complex Selection Criteria --> enter corresponding authroization object and search

If these values are so confusing, then you need to search for any new Notes from SAP. If you can't find a one, log a case with SAP.

Regards,

Gowrinadh