Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Monitoring of SAP_ALL , SAP_NEW profile assignment

Former Member

‎06-23-2009 7:11 PM

0 Kudos

Hi,

I have to implement a system, where mail should be triggered to reporting person in the following two cases:

1. If SAP_ALL / SAP_NEW profile is assigned to user through SU01 transaction.

2. If user having any of these profiles logs in to the system.

I guess, user exit SUSR0001 can be used for 2nd point (not sure).

Can anyone please guide me about any significant way to achieve this?

Thanks in Advance..

7 REPLIES 7

Former Member

‎06-23-2009 9:44 PM

0 Kudos

You should delete SAP_NEW after upgrades...

For SAP_ALL, you can just tag along withn this [thread|; ... (and use the search)

Cheers,

Julius

Former Member

‎06-23-2009 9:59 PM

0 Kudos

Santosh,

its a good one and very rarely used.

Please use the MTE security under your SAP CCMS Monitor Templates, in that you have a UserMasterRecords define the values for it , when changes made to the Authorization or authorization profile changed you will get an alert.

please see the details below:

Control of user master record changes

Message no. SECAUDIT055

Diagnosis

User master change events recorded in Security Audit Log. Depending on the setting (see below), the following events are reported to the monitoring architecture:

u2022 User deleted

u2022 User locked

u2022 User unlocked

u2022 User authorizations changed

u2022 User master changed

u2022 Authorization or authorization profile created

u2022 Authorization or authorization profile changed

u2022 Authorization or authorization profile deleted

In the Security Audit Log, the system records actions relevant for system security. You use the configuration function of the Security Audit Log to set which actions are recorded and which actions trigger an alert in the alert monitor. To configure the Security Audit Log, choose Tools -> Administration -> Monitor -> Security Audit Log -> Configuration (transaction SM19)

For more information, see the "Application Help" for the Security Audit Log.

This should resolve your first part.but you need to have audit log switched on for this. I think this is the only way to get ...never tried it so would like to listen from you about the result.

for part 2 i think you are right with the answer.

please update.

Regards,

Pavan

Former Member
In response to Former Member

‎08-19-2009 6:26 PM

0 Kudos

Hi Pavan,

I have implmented the second part successfullly but struggling with the first one.

As a part of first requirement (mail if SAP_ALL,SAP_NEW assigned), I have created the filter in SM19 for tracing the changes made to user master record.

Can you please let me know how can we identify:

1. The assigned or removed profile is SAP_ALL or SAP_NEW

2. The username to whom the profile has been assigned and system SID.

because I need to send the username and the system in which the user has been assigned to these profiles.

Thanks.

Edited by: Santosh Karemore on Aug 19, 2009 7:26 PM

Edited by: Santosh Karemore on Aug 19, 2009 7:32 PM

former_member701183
Active Participant

‎06-24-2009 4:30 AM

0 Kudos

Dear Santosh,

Since assigning of SAP_ALL and SAP_NEW are generally an audit issue we should try to restrict those from being assigned to users all together. Better we design roles where we can restrict the users from assigning these profiles. One way is by by dealing with auth object S_USER_PRO value 22 as discussed in earlier threads. If alert needs to be sent out then we need to try to link this with CCMS alert if at all possible and configure mail via SCOT and use of SBWP. Please let me know if it helps you.

Regards

Aveek.

Bernhard_SAP
Employee
Employee

‎08-24-2009 10:43 AM

0 Kudos

Hi Santosh,

for point 1 I have the idea to use the user exit PRGN_EXIT_USERS_TRANSFER in SU01 to run your own checks regarding the sap_all assignement and triggering the e-mail alert. The information about sap_all is contained in SUSR_USER_MAINT_WITH_DIALOG where the FORM save_assignments with table 'profiles' is called. So you have the list of profiles already. Trigger the exit in PRGN_USER_ASSIGNMENT_CHANGE to run the check if sap_all is contained in the profiles-table and trigger the alert then.

This is just an idea, and I did not test it at all....

b.rgds, Bernhard

former_member561174
Participant

‎05-25-2012 7:48 PM

0 Kudos

Hi,

Can you please let me know how you implemented these two requirements as I have to do same for my project.

Immediate response will be highly appreciated.

BR,

Nisha

Former Member

‎05-29-2012 5:07 PM

0 Kudos

just would like to point out, S.A_SYSTEM profile and a large number of "SAP" roles can give similar access as SAP_ALL. Best approach is to control user provisioning with periodic scans.  Look for unexpected userIDs making assignments.... or assignments that deviate from a naming convention.  Receiving an email alert for SAP_ALL seems like a reactionary response from someone who doesn't fully understand SAP security.