It is just like second time validation purpose. We want to add SAP_ALL, but all other team should be notified with alert mail

Okay, you can make use of enhancement SUSR0001, and code ZXUSRU01 to include a check for the UST04 table for that user and send an email.

However, this user exit will work only when the user with SAP_ALL logs in to the system.

Reference :

SAP Note 37724

http://help.sap.com/saphelp_nw70/helpdata/EN/3e/cdacddedc411d3a6510000e835363f/content.htm

Few days back only i have submitted on article in content submission on SDN on this, if it is accepted, will share the link with you.

Cheers !!

Zaheer

What if the person logs on (passing through the exit) and then subsequently assigns SAP_ALL? --> No mail will be sent.

Other approaches which I have used is creating a variant for report RSUSR100(N) to look for SAP_ALL change documents or the SM20N report (not sure of the exact name at the moment) and schedule it in a periodic job every hour or so. You can even hide the job in a system exit...

Cheers,

Julius

There is also the problem of someone copying SAP_ALL or creating a role with all auths...both reasonably common.

Okay Julius... i knew that you will say that :-).. i know that this user exit is only checked for dialog logins from SAPGUI.

And Alex is also right with the fact that someone may just copy SAP_ALL to something else....may be Z role which has SAP_ALL profile inserted....

Cheers !!

Zaheer

It's not the logon type, but rather the fact that you no longer need to log off and on again for authorization changes to take affect. So your exit would trigger too early.

Also it would not see a reference user assignment.

Cheers,

Julius

please check

Regards,

Pavan