Solved: Accuracy of RSUSR002

Former Member · ‎03-04-2010

Hi there - hope all is good with everyone. I am encountering an issue with one of SAP's built-in reports and I was wondering if there is a workaround for this. I have been given the task to review user access in our SAP instance and I used report RSUSR002 to generate a list of all users who can create entries in the chart of accounts. The query I am running is as follows:

S_TCODE=FS00 with authorization objects F_SKA1_BUK (ACTVT=01 and BUKRS=), F_SKA1_KTP (ACTVT=01 and KTOPL=).

I generated a fairly large number of users who can do this and one of the users on the list decided to test FS00 and check whether she is really able to do this. When she tried creating a master record an error was generated that she was missing authorizations. Further check of her roles identified that she has only F_SKA1_KTP (ACTVT=03).

I re-ran report RSUSR002, this time querying only for users who have F_SKA1_KTP (ACTVT=01) assigned and she comes up again on the list. So it looks like the results produced by RSUSR002 are incorrect for some reason. This is quite disappointing since I spent a week testing for various combinations of t-codes and auth objects and now it looks like the result is completely unreliable. Any advice, ideas suggestions for workarounds or root cause will be very much appreciated.

Thanks so much!

Martin:

Former Member · ‎03-04-2010

Which release and BC support pack are you on?

Many things have changed over time and you might need to adjust your search techniques.

Cheers,

Julius

Former Member · ‎03-04-2010

Which release and BC support pack are you on?

Many things have changed over time and you might need to adjust your search techniques.

Cheers,

Julius

Former Member · ‎03-04-2010

SAP Kernel release 640, SAP_BASIS Component: SAPKB64019

Hope this info is sufficient.

Former Member · ‎03-04-2010

Probably your query is expecting transaction FS00 to be in the menu and not the S_TCODE object.

SUIM reports distinguish between these two. S_TCODE can be executed via the ok-code command field window and you cannot block that even if you try to hide it.

Reconsider your selction criteria and read the online release dependent documentation on the report (shortcut .he in the selection screen).

Possibly some SP related corrections are usefull as well.

Cheers,

Julius

Former Member · ‎03-04-2010

Hi Julius - thank you for your response. I decided to test the accuracy of RSUSR002 by just selecting all users who are assigned authorization object F_SKA1_KTP (ACTVT=01) and the user in question was included in the result of the report although I manually checked her profile and verified that she has only F_SKA1_KTP (ACTVT=03) assigned.

As far as you know, is there another alternative to RSUSR002 (users by complex search criteria)? We are frequently asked to do segregation of duties testing and would like to use native SAP reports rather than extracting all authorization information and analyzing it in external tools?

Thanks

Martin

Former Member · ‎03-04-2010

From many transactions (e.g. FB03) you can display accounting documents and "see" the GL account they are posted against.

If you double-click the account you will be in FS00. The transaction code itself is not necessarily critical, it is more dependent on the authorizations to use the transaction.

For auditoing, you can in almost all cases forget about the transaction code! The most important aspect of transactio code contexts is that you can turn some objects OFF for authority-checks (the return code is set to 0).

See the documentation on transaction SU24 and SE97 and the FAQ thread (top of the forum).

Cheers,

Julius

Bernhard_SAP · ‎03-09-2010

oh, sapkb64019.....

There are lots of corrections available for this sp-level....

For instance:

note 1227083, 1244598(also if too many hits are displayed), 1296766 , 1273992,....

b.rgds, Bernhard

Former Member · ‎04-07-2010

Thank you ! Your help is greatly appreciated!