06-23-2009 7:11 PM
Hi,
I have to implement a system, where mail should be triggered to reporting person in the following two cases:
1. If SAP_ALL / SAP_NEW profile is assigned to user through SU01 transaction.
2. If user having any of these profiles logs in to the system.
I guess, user exit SUSR0001 can be used for 2nd point (not sure).
Can anyone please guide me about any significant way to achieve this?
Thanks in Advance..
06-23-2009 9:44 PM
06-23-2009 9:59 PM
Santosh,
its a good one and very rarely used.
Please use the MTE security under your SAP CCMS Monitor Templates, in that you have a UserMasterRecords define the values for it , when changes made to the Authorization or authorization profile changed you will get an alert.
please see the details below:
Control of user master record changes
Message no. SECAUDIT055
Diagnosis
User master change events recorded in Security Audit Log. Depending on the setting (see below), the following events are reported to the monitoring architecture:
u2022 User deleted
u2022 User locked
u2022 User unlocked
u2022 User authorizations changed
u2022 User master changed
u2022 Authorization or authorization profile created
u2022 Authorization or authorization profile changed
u2022 Authorization or authorization profile deleted
In the Security Audit Log, the system records actions relevant for system security. You use the configuration function of the Security Audit Log to set which actions are recorded and which actions trigger an alert in the alert monitor. To configure the Security Audit Log, choose Tools -> Administration -> Monitor -> Security Audit Log -> Configuration (transaction SM19)
For more information, see the "Application Help" for the Security Audit Log.
This should resolve your first part.but you need to have audit log switched on for this. I think this is the only way to get ...never tried it so would like to listen from you about the result.
for part 2 i think you are right with the answer.
please update.
Regards,
Pavan
08-19-2009 6:26 PM
Hi Pavan,
I have implmented the second part successfullly but struggling with the first one.
As a part of first requirement (mail if SAP_ALL,SAP_NEW assigned), I have created the filter in SM19 for tracing the changes made to user master record.
Can you please let me know how can we identify:
1. The assigned or removed profile is SAP_ALL or SAP_NEW
2. The username to whom the profile has been assigned and system SID.
because I need to send the username and the system in which the user has been assigned to these profiles.
Thanks.
Edited by: Santosh Karemore on Aug 19, 2009 7:26 PM
Edited by: Santosh Karemore on Aug 19, 2009 7:32 PM
06-24-2009 4:30 AM
Dear Santosh,
Since assigning of SAP_ALL and SAP_NEW are generally an audit issue we should try to restrict those from being assigned to users all together. Better we design roles where we can restrict the users from assigning these profiles. One way is by by dealing with auth object S_USER_PRO value 22 as discussed in earlier threads. If alert needs to be sent out then we need to try to link this with CCMS alert if at all possible and configure mail via SCOT and use of SBWP. Please let me know if it helps you.
Regards
Aveek.
08-24-2009 10:43 AM
Hi Santosh,
for point 1 I have the idea to use the user exit PRGN_EXIT_USERS_TRANSFER in SU01 to run your own checks regarding the sap_all assignement and triggering the e-mail alert. The information about sap_all is contained in SUSR_USER_MAINT_WITH_DIALOG where the FORM save_assignments with table 'profiles' is called. So you have the list of profiles already. Trigger the exit in PRGN_USER_ASSIGNMENT_CHANGE to run the check if sap_all is contained in the profiles-table and trigger the alert then.
This is just an idea, and I did not test it at all....
b.rgds, Bernhard
05-25-2012 7:48 PM
Hi,
Can you please let me know how you implemented these two requirements as I have to do same for my project.
Immediate response will be highly appreciated.
BR,
Nisha
05-29-2012 5:07 PM
just would like to point out, S.A_SYSTEM profile and a large number of "SAP" roles can give similar access as SAP_ALL. Best approach is to control user provisioning with periodic scans. Look for unexpected userIDs making assignments.... or assignments that deviate from a naming convention. Receiving an email alert for SAP_ALL seems like a reactionary response from someone who doesn't fully understand SAP security.