05-11-2010 1:24 PM
Hi,
I really wonder how the transaction SUIM behave. I need to know the roles that can execute a particular transaction.
For example, when I search for a transaction through Roles -> By Transaction Assignment I get 2 hits and they are correct, but if the transaction is added manually to the object S_TCODE I don't get those roles. (I know this isn't the way to build roles in best way, but I'm not the one who built the roles)
When I'm searching through Roles -> By Authorization Values, object S_TCODE and the same transaction code, I get more hits than 2. Why?? For some roles the transaction isn't neither in the menu or in the object S_TCODE, why am I getting those roles in the result??
What should I believe in?
I start wonder if START_REPORT have something to do with this? Or the package which is connected to the transaction?
Has someone any input?
/Anna
Edited by: Anna Rosenklint on May 11, 2010 2:25 PM
05-11-2010 1:30 PM
Transactions added in Menu are reflected in object S_TCODE. However, administrators can also go and add transactions directly in S_TCODE.
The results shown when you execute with option S_TCODE are the roles which can provide access to user. There are many bugs reported in SUIM and SAP has delivered notes as well like 171805 .
Please search in service market place. Also post the basis version you are in. Moderators can find best note for you.
Regards,
Gowrinadh
Edited by: Gowrinadh Challagundla on May 11, 2010 2:32 PM
05-11-2010 1:30 PM
Transactions added in Menu are reflected in object S_TCODE. However, administrators can also go and add transactions directly in S_TCODE.
The results shown when you execute with option S_TCODE are the roles which can provide access to user. There are many bugs reported in SUIM and SAP has delivered notes as well like 171805 .
Please search in service market place. Also post the basis version you are in. Moderators can find best note for you.
Regards,
Gowrinadh
Edited by: Gowrinadh Challagundla on May 11, 2010 2:32 PM
05-11-2010 1:41 PM
> Transactions added in Menu are reflected in object S_TCODE. However, administrators can also go and add transactions directly in S_TCODE.
Besides that, some transactions bring along S_TCODE proposals for other transactions when added to a role menu.
The main difference between the two search methods is that the transaction assignment one only looks in the role menu whereas the object approach gives you the real authorizations. Best use the latter one.
Jurjen
05-11-2010 1:49 PM
and besides that don't forget the possibility of using intervals in object S_TCODE.....
05-11-2010 1:56 PM
Explanation:
I search for example for S_ALR_87012357 and when I'm searching through Roles -> By Authorization Values S_TCODE I get roles where the transaction doesn't exist. Neither in the menu or in the object S_TCODE. Why am I getting those roles in the search list?
05-11-2010 2:42 PM
> Neither in the menu or in the object S_TCODE. Why am I getting those roles in the search list?
Are you sure there are no ranges or wildcarded entries like S_ALR* in the S_TCODE object?
05-11-2010 2:43 PM
I have found below notes which may be applicable for you.
Note 1227083 - SUIM| Search criteria authorization object/transaction code
Note 752356 - SUIM|RSUSR070: Selection by transactions in the role menu
Note 1335564 - SUIM| Searching for authorization values w/ conversion exit
Note 1393940 - SUIM| Incorrect results when searching for profile and roles
05-11-2010 2:44 PM
Are you sure there are no ranges or wildcarded entries like S_ALR* in the S_TCODE object?
Yes I am, it is only a few transaction codes.
05-11-2010 3:37 PM
Can you post a selection from AGR_TCODES and AGR_1251 filtered for S_TCODE for the relevant role(s) here?
Besides that, are the profiles porperly generated, ie everything green in PFCG?
05-11-2010 3:47 PM
Yes, the profiles are porperly generated, everything is green in PFCG.
The transaction I search for S_ALR_87012357
In AGR_1251
AGR_NAME OBJECT AUTH FIELD LOW HIGH
Z0:FI_03_D S_TCODE T-D186008300 TCD AS03
Z0:FI_03_D S_TCODE T-D186008300 TCD AS23
Z0:FI_03_D S_TCODE T-D186008300 TCD AW01N
Z0:FI_03_D S_TCODE T-D186008300 TCD S_ALR_87010125
Z0:FI_03_D S_TCODE T-D186008300 TCD S_ALR_87011963
Z0:FI_03_D S_TCODE T-D186008300 TCD S_ALR_87011979
Z0:FI_03_D S_TCODE T-D186008300 TCD S_ALR_87011981
Z0:FI_03_D S_TCODE T-D186008300 TCD S_ALR_87011990
Z0:FI_03_D S_TCODE T-D186008300 TCD S_ALR_87012004
Z0:FI_03_D S_TCODE T-D186008300 TCD S_ALR_87012028
Z0:FI_03_D S_TCODE T-D186008300 TCD S_ALR_87012037
Z0:FI_03_D S_TCODE T-D186008300 TCD S_ALR_87012039
Z0:FI_03_D S_TCODE T-D186008300 TCD S_ALR_87012041
Z0:FI_03_D S_TCODE T-D186008300 TCD S_ALR_87012050
Z0:FI_03_D S_TCODE T-D186008300 TCD S_ALR_87012052
Z0:FI_03_D S_TCODE T-D186008300 TCD S_ALR_87012066
Z0:FI_03_D S_TCODE T-D186008300 TCD S_ALR_87012075
Z0:FI_03_D S_TCODE T-D186008300 TCD S_ALR_87012936
Z0:FI_03_D S_TCODE T-D186008300 TCD S_P99_41000192
Z0:FI_03_D S_TCODE T-D186008300 TCD S_ALR_87011994
Z0:FI_03_D S_TCODE T-D186008300 TCD S_ALR_87012048
Z0:FI_03_D S_TCODE T-D186008300 TCD S_ALR_87011969
Z0:FI_03_D S_TCODE T-D186008300 TCD S_ALR_87011968
Z0:FI_03_D S_TCODE T-D186008300 TCD S_ALR_87011967
Z0:FI_03_D S_TCODE T-D186008300 TCD S_ALR_87011966
Z0:FI_03_D S_TCODE T-D186008300 TCD S_ALR_87011964
Z0:FI_03_D S_TCODE T-D186008300 TCD AS93
In AGR_TCODES
AGR_NAME TYPE TCODE DIRECT
Z0:FI_03_D TR AS03 X
Z0:FI_03_D TR AS23 X
Z0:FI_03_D TR AS93 X
Z0:FI_03_D TR AW01N X
Z0:FI_03_D TR S_ALR_87010125 X
Z0:FI_03_D TR S_ALR_87011963 X
Z0:FI_03_D TR S_ALR_87011964 X
Z0:FI_03_D TR S_ALR_87011966 X
Z0:FI_03_D TR S_ALR_87011967 X
Z0:FI_03_D TR S_ALR_87011968 X
Z0:FI_03_D TR S_ALR_87011969 X
Z0:FI_03_D TR S_ALR_87011979 X
Z0:FI_03_D TR S_ALR_87011981 X
Z0:FI_03_D TR S_ALR_87011990 X
Z0:FI_03_D TR S_ALR_87011994 X
Z0:FI_03_D TR S_ALR_87012004 X
Z0:FI_03_D TR S_ALR_87012028 X
Z0:FI_03_D TR S_ALR_87012037 X
Z0:FI_03_D TR S_ALR_87012039 X
Z0:FI_03_D TR S_ALR_87012041 X
Z0:FI_03_D TR S_ALR_87012048 X
Z0:FI_03_D TR S_ALR_87012050 X
Z0:FI_03_D TR S_ALR_87012052 X
Z0:FI_03_D TR S_ALR_87012066 X
Z0:FI_03_D TR S_ALR_87012075 X
Z0:FI_03_D TR S_ALR_87012936 X
Z0:FI_03_D TR S_P99_41000192 X
05-12-2010 10:23 AM
ok, then you need the corrections of note 1273992
( https://service.sap.com/sap/support/notes/1273992 )
This will solve your problem.
b.rgds, Bernhard
05-12-2010 11:29 AM
ok, then you need the corrections of note 1273992
Thank you very much, it works now!