06-24-2010 8:59 AM
Hi Gurus,
We need to change the service userID to System type, and ensure that all functionality continues to work in Production systems. (The userID embedded into RFC connections)
Before changing the user type for the userid I would like to know if there is any way to log whether interactive logons have taken place for the Service user.
We need to ensure that everything works when the userID is changed to System.
Please let me know if there is any to see the log for the service user which had interactive logons.
Regard's
06-26-2010 1:04 AM
I think from what you are asking is can I find interactive logon of the user whose type is changed ( from whatever ) to Service user, I will say yes if audit log is on as per other experts post.
Remember with Netweaver in place not many companies would put SM19 and SM20 on , there are many java based GRC tools to do that .
The suggestions provided are the steps to configure after the fact.
My guess the logs will be in if Auditing was on
or else you will not get what you expect.
I dont know if this can help but please try this use SUIM
go to change documents, put that username at CHANGES BY FIELD try to expand range on dates
using changes since and changes up to.
"Again this is based on the Audit defaults set by your basis team already"
Objects
Authorizations
Object classes
Changes by
Changes since
Changes up to
If you set Audit today and try based on the steps provided by other experts you are not going to get any output from the past.
06-24-2010 9:12 AM
Salman,
system users are non-interactive accounts. I consistently use system accounts. I found that communication accounts need to have their password changed on first logon, which is somewhat cumbersome with a non-dialog account....
System :
GUI login is not possible.
Initial password and expiration of passowrd are not checked.
Usage:- These are used for internal use in system like background jobs.
Background processing and communication within a system (such as RFC users for ALE, Workflow, TMS, and CUA).
Service:
GUI login is possible.
Initial password and expiration of passowrd are not checked.
Multiple logins are allowed.
Users are not allowed to change the password. Only admin can change the password
Usage:- These are used for anonymous users. This type of users should be given minimum authorization.
Thanks,
Sri
06-24-2010 9:36 AM
Thanks Sri for quick response.
Could please tell me how should I know if there is any interactive logon happened thru this service user type (if logs recorded any interactive logons) ? if any, then where should i check it ? if not, then I can directly change it to system type in prd.
Thanks again!
06-24-2010 10:02 AM
Salman,
You can use STAT and STAD for last three days of working and st03 for whole summarized total work perform by any user.
USR02 Logon data (password,user name, validity date etc..)
or
Go to ST03N -> Switch to Expert mode in the upper left corner -> Expand the node Total and select the time period (day, week, month) -> Expand the node User and Settlement Statistics and select User Profile -> Doubleclick the user you want and you get a list with transactions
or
You need to activate the audit system, than you can get the history for
when he login/logon
what report he run
when he change password or get lock and unlock
when he change authorization.
Almost every action you can log
You can use SM19, SM20.
Thanks,
Sri
06-24-2010 10:45 AM
Sri,
I never used SM19 before.. I want to check the log for only one specific user. Do I need to create anew profile in SM19 and activate it and then give the user id and go to SM20 and give the userid and read log ?
Please advise..
Thanks
06-24-2010 7:29 PM
Salman,
Yes salman, you need to create profile and then activate it.
In SM18 you can define the days for which you want to keep the logs it depends on the company policy and size of log
In SM19 Activate the profile required for audit log like for all users you can activate only critical events while for critical users select all events.SM20 you will just use for the reading the logs. (if required)
http://searchsap.techtarget.com/tip/SAP-security-audit-log-setup (ECC6)
http://www.sap-img.com/basis/the-step-required-to-audit-at-the-user-level.htm
http://www.erpgenie.com/sap-technical/basis/the-step-required-to-audit-at-the-user-level
NOTE:
Activating the audit log
The following instance profiles must be set in order to activate audit logging (use transaction RZ10 to do so
rsau/enable: Set to 1 to activates audit logging
rsau/loc
Thanks,
Sri
06-24-2010 9:38 AM
As we know now from Sri's c/p, what a Service and a System user is....
in SM19/20 you can log logins of type dialog and RFC/CPIC.
b.rgds, Bernhard
06-26-2010 1:04 AM
I think from what you are asking is can I find interactive logon of the user whose type is changed ( from whatever ) to Service user, I will say yes if audit log is on as per other experts post.
Remember with Netweaver in place not many companies would put SM19 and SM20 on , there are many java based GRC tools to do that .
The suggestions provided are the steps to configure after the fact.
My guess the logs will be in if Auditing was on
or else you will not get what you expect.
I dont know if this can help but please try this use SUIM
go to change documents, put that username at CHANGES BY FIELD try to expand range on dates
using changes since and changes up to.
"Again this is based on the Audit defaults set by your basis team already"
Objects
Authorizations
Object classes
Changes by
Changes since
Changes up to
If you set Audit today and try based on the steps provided by other experts you are not going to get any output from the past.
06-26-2010 4:49 AM
salman,
SUIM doesn't give you the result. Since the search is for log files / who have logon(service id's) for particular period
Best option is thru Audit
or
retreive user history from tables USH02,USH04,USH10 and USH12.
Thanks,
Sri