Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP transactions that call SU0 1

Go to solution
Former Member

‎03-25-2010 9:24 AM

0 Kudos

Hi guys,

I need a help.

We are creating security controls to use the SU01, most have found some transactions may also modify users, exemple as PP01.

Does, anyone have a list of SAP transactions that call SU0 1

Thanks a lot

Martha

1 ACCEPTED SOLUTION

Go to solution
jörg_weichert
Explorer

‎03-29-2010 8:15 PM

0 Kudos

Hi,

here are some alternatives for SU01:

SU10, SU12, SU01_NAV,

GCE1, OIBB, OMDL, OY22 ... -> search in table TSTCP for parameter /NSU01

cheers

Jörg

Edited by: Jörg Weichert on Mar 29, 2010 9:49 PM Posted to wrong thread.

13 REPLIES 13

Go to solution
jurjen_heeck
Active Contributor

‎03-25-2010 9:33 AM

0 Kudos

As SU01 is a transaction as well you may want to find the program behind it (table TSTC or tr. SE93) and look for transactions that use the same program.

Go to solution
Bernhard_SAP
Employee
Employee

‎03-25-2010 9:55 AM

0 Kudos

Hi,

another source is also table tcdcouples. Select SU01 in field CALLED to get a list of t-codes starting SU01 with 'call transaction'.

But the list may not be complete...

b.rgds, Bernhard

Go to solution
Former Member
In response to Bernhard_SAP

‎03-25-2010 10:54 AM

0 Kudos

Thank you for sharing, Bernhard. That table was news to me ...

... and now I am depressed: DBACOCKPIT is calling SU01? Whatfor? How reliable is the information contained in this table?

Go to solution
Former Member
In response to Bernhard_SAP

‎03-25-2010 12:26 PM

0 Kudos

You can take a look in the FAQ thread at the entry:

> Note 358122 - Function description of transaction SE97 - Coupled "CALL TRANSACTION" pairs and restrictions.

A where-used-search on function module AUTHORITY_CHECK_TCODE will be usefull as well, as will searching the forum here for discussions about it.

Cheers,

Julius

Go to solution
Former Member
In response to Bernhard_SAP

‎03-25-2010 1:03 PM

0 Kudos

Thanks for pointing me in the right direction, Julius.

And ... please clap me on the ear, if I ever fail to do my R&D again. Sorry.

I still see no sense in the entry of (for example) DBACOCKPIT and SU01 - this transaction hasn't even the remotest functionality around SU01 (no calls, no includes, no methods, nothing ... I checked) - but obviously this is along the same alley as LT03 and S_BTCH_ADM ...

Go to solution
Former Member
In response to Bernhard_SAP

‎03-25-2010 1:46 PM

0 Kudos

Can't find anything either for DBACOCKPIT, but I guess it was there at some stage - perhaps way back a while.

There is no harm in the entry being in SE97 though, until you turn the check off inappropriately. Unmaintained but entered is the same as "Check". For the function module I mentioned it does not matter, but for CALL TRANSACTION statements which do not call the function module it does matter as there is no check.

It being impossible to maintain all combinations of all transactions against each other, SAP invented the function module and called it upfront in SU01 and SU01_NAV as well as many other transactions which now use this FM.

Cheers,

Julius

Edited by: Julius Bussche on Mar 25, 2010 3:10 PM

Go to solution
Former Member

‎03-25-2010 12:28 PM

0 Kudos

> exemple as PP01.

That calls SU01's navigation cousin, and the check is not deactivated. The user of PP01 will not be able to access SU01 if not authorized.

A where-used-list on the BAPI_USER* function modules will be relevant as well.

Rather rely on S_USER_GRP etc authorization objects if functionality is critical for you. It is more reliable to take that approach.

Cheers,

Julius

Go to solution
jörg_weichert
Explorer

‎03-29-2010 8:15 PM

0 Kudos

Hi,

here are some alternatives for SU01:

SU10, SU12, SU01_NAV,

GCE1, OIBB, OMDL, OY22 ... -> search in table TSTCP for parameter /NSU01

cheers

Jörg

Edited by: Jörg Weichert on Mar 29, 2010 9:49 PM Posted to wrong thread.

Go to solution
Former Member
In response to jörg_weichert

‎03-29-2010 9:48 PM

0 Kudos

Yep, you might want to take a look into tables TFDIR and USOBHASH as well.

If something is critcal for you, you need to control it at object level for the use-case, otherwise it is a "low brainer".

Cheers,

Julius

Edited by: Julius Bussche on Mar 29, 2010 10:48 PM

Go to solution
jörg_weichert
Explorer
In response to jörg_weichert

‎03-29-2010 10:02 PM

0 Kudos

Hi,

Julius is right you have to control it on the object level, especial when somebody is able to call function modules.

In table TSTCP you have to search for su01 (and su10 etc) otherwise you will miss some transactions, e.g. OOUS .

cheers

Joerg

Go to solution
Former Member
In response to jörg_weichert

‎03-29-2010 10:11 PM

0 Kudos

And once you have exposed them, then it makes sense to audit the systems you trust and not only the "local" one (e.g. SolMan, CUA master, IdM, etc..).

As an alternative, some auditors like to system audit each company locally...

If you secure the security locally in authorizations, then it will make your life easier and system maintenance costs lower in the long run, as well as auditing.

Cheers,

Julius

Go to solution
arpan_paik
Active Contributor
In response to jörg_weichert

‎03-30-2010 5:00 AM

0 Kudos

It is someone elses post and a ongoing discssion is already going. Pardon my sudden intrusion. But I was surprised by so many transaction with same functionality like SU01. Even same screen. Why???

Go to solution
Former Member
In response to jörg_weichert

‎03-31-2010 9:37 AM

0 Kudos

Julius,

Thanks very much, for you help.

I aprecciate and using your help )

Martha