06-19-2009 11:48 AM
Hi,
My requirement is to send alert mail, whenever User ID created/changed to include SAP_ALL profile in SU01.
Thanks in Advance.
Thanks,
Raman
06-19-2009 11:59 AM
Rather than sending the email "after the fact", why not restrict the users from assigning the SAP profiles.
Making use of S_USER_PRO, restrict on assignment (22) for SAP* profiles, or S* profiles, if you want users not to use SAP default profiles.
Cheers !!
Zaheer
06-19-2009 12:03 PM
It is just like second time validation purpose. We want to add SAP_ALL, but all other team should be notified with alert mail
06-19-2009 12:09 PM
Okay, you can make use of enhancement SUSR0001, and code ZXUSRU01 to include a check for the UST04 table for that user and send an email.
However, this user exit will work only when the user with SAP_ALL logs in to the system.
Reference :
SAP Note 37724
http://help.sap.com/saphelp_nw70/helpdata/EN/3e/cdacddedc411d3a6510000e835363f/content.htm
Few days back only i have submitted on article in content submission on SDN on this, if it is accepted, will share the link with you.
Cheers !!
Zaheer
06-19-2009 12:22 PM
What if the person logs on (passing through the exit) and then subsequently assigns SAP_ALL? --> No mail will be sent.
Other approaches which I have used is creating a variant for report RSUSR100(N) to look for SAP_ALL change documents or the SM20N report (not sure of the exact name at the moment) and schedule it in a periodic job every hour or so. You can even hide the job in a system exit...
Cheers,
Julius
06-19-2009 12:24 PM
There is also the problem of someone copying SAP_ALL or creating a role with all auths...both reasonably common.
06-19-2009 12:27 PM
Okay Julius... i knew that you will say that :-).. i know that this user exit is only checked for dialog logins from SAPGUI.
And Alex is also right with the fact that someone may just copy SAP_ALL to something else....may be Z role which has SAP_ALL profile inserted....
Cheers !!
Zaheer
06-19-2009 12:35 PM
It's not the logon type, but rather the fact that you no longer need to log off and on again for authorization changes to take affect. So your exit would trigger too early.
Also it would not see a reference user assignment.
Cheers,
Julius
06-23-2009 10:03 PM