Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

S_BCE_68002111 vs RSUSR002

dsanpor
Participant
0 Kudos

Dear Experts

I have a problem with two programs.

S_BCE_68002111: Here I can define critical autorizations. For example S_TCODE = AL11.

RSUSR002: Complex selction criteria

I custo S_BCE_68002111 and y generate critical autorization with S_TCODE and AL11 value.

I thought the result should be the same, however it is not.

The program S_BCE_680002111 do not select all users if the users have the value of the authorization was a range.

For example

If user A has:

S_TCODE

TCD = AL11

If user B has

S_TCODE

TCD = A* .. AL12.

Program RSUSR002 shows users A and B with one range in the tcd field.

Program S_BCE_680002111 do not show B user.

In this case, the function of programs should be the same. S_BCE_680002111 can parameterize your own critical authorizations. So if I just put the same objects in both programs should meet the same users.

Why is the data selection is different? Although the selection is made from different tables the solution should be the same.

Thanks and regards David Sanchez.

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Hi David,

The intended purpose of both the programs is as different ........What is shown as a result of executing S_BCE_68002111 can be a part of the result shown in RSUSR002 but not vice-versa

RSUSR002 is intended to check on the presence of a particualr authorization object in the existing profiles, and the result is based on the specifc value (or) a range of values as in the case of User B

S_BCE_68002111 (it is the program RSUSR008_009_NEW) is built primarily for audit checks to give an output based on defined rule sets to check on the Seggregation of duties conflcits in users, and it checks on specific values ONLY. I think to check on specific values for this report is quite logical, because you dont expect the report to check on ranges since the report configuration is built on the transaction code, the critical objects and the values and it wouldnt make a lot of sense to have a range for S_TCODE and include all the critical objects and all the possible values for one authorization ID

Now, Imagine we have users having acccess to SU53, if you run RSUSR002 with S_TCODE as SU53 you would in all probability get a long list of User Id's , but ideally, you wouldnt want to have SU53 cnfigured as a critical transaction in S_BCE_6802111 - isnt it?

4 REPLIES 4

Former Member
0 Kudos

Hi David,

The intended purpose of both the programs is as different ........What is shown as a result of executing S_BCE_68002111 can be a part of the result shown in RSUSR002 but not vice-versa

RSUSR002 is intended to check on the presence of a particualr authorization object in the existing profiles, and the result is based on the specifc value (or) a range of values as in the case of User B

S_BCE_68002111 (it is the program RSUSR008_009_NEW) is built primarily for audit checks to give an output based on defined rule sets to check on the Seggregation of duties conflcits in users, and it checks on specific values ONLY. I think to check on specific values for this report is quite logical, because you dont expect the report to check on ranges since the report configuration is built on the transaction code, the critical objects and the values and it wouldnt make a lot of sense to have a range for S_TCODE and include all the critical objects and all the possible values for one authorization ID

Now, Imagine we have users having acccess to SU53, if you run RSUSR002 with S_TCODE as SU53 you would in all probability get a long list of User Id's , but ideally, you wouldnt want to have SU53 cnfigured as a critical transaction in S_BCE_6802111 - isnt it?

0 Kudos

Answer from Shekar sounds close to correct answer

but I would like to add that RSUSR002 did not capture the manual added object ( S_tcode ) with C* instead of CAT2 last week.

that became an issue for audit purposes.

Regards

0 Kudos

Hi experts.

Thanks for your knowledge. The question was answered.

Now, I only have two points to your comments.

1 .- It is correct Mr Shekar.

2 - I do not like in some cases the program RSUSR02. The reason is that I can use a <> symbol in the selection of data values for the authorization of an authorization object.

For example, a batch input fails. A user should be able to evaluate the log of the batch to study the error. But perhaps I should not do any other action with the batch.

This program does not allow me to search for users who can do anything other than the SM35 evaluate the log.

I thought then that maybe I could use this program for users who have some critical transaction. In some cases the definition of critical low-level authorization object and value in others cases just the transaction.

Perhaps the simplest answer to my problem is: "Please David, use the GRC."

Thank for your help.

Best regards David Sánchez.

Former Member
0 Kudos

My understanding of your question is that the range is in the authorization values and not the selection you are making.

Check your release and SP levels against OSS. There are several notes on both approaches and incorrect answers they can produce.

Not using ranges helps - also for many other problems!

Cheers,

Julius