Joao,

How can i know what users are using the t-code in a single moment

Use the "User information system" with transaction SUIM

Since you are trying to determine a list of users, click on users > users by complex selection > by transaction authorizations.

Enter the transaction code, execute.

Lotsa other ways within SUIM to look at other authorization data as well.

Best Regards,

DB49

Hi,

..or you can use AL08 to see "who is doing what" in global view.

use filter option to filter transaction code, or username or terminal.

hope it help you.

rgds,

Alfonsus Guritno

Hi,

transaction code is attached to role.

and role is attached to user.

you cannot attach transaction code directly to the user.

role can consist of several transaction code in it.

and one role can be assigned to as many as user you want.

if you want to remove one or several transaction code from user, first you have to unassign or remove transaction code from role which contains that transaction code. dont forget to maintain regenerate authorization profile after transaction code removal.

example :

user A

is assigned role ZA, ZB and ZC.

role ZA contains tcode FDTA and SU53

role ZB contains SM37 and SP02

role ZC contains FDTA.

if you want to remove FDTA from user A, then you have to remove FDTA from role ZA and ZC.

hope it help you.

rgds,

Alfonsus Guritno

Hi,

yes S_TMS_ACT and F_REGU_BUK is two authorization object which is assigned to FDTA.

in this case you can't remove that, because your role consist of FDTA only, so when you remove FDTA, this two objects will be removed too, and on this point the role will have no authorization object anymore so that it can't be generated.

different case if your role have FDTA and say SPAD. if you remove FDTA from role, authorization object related only to FDTA will be removed, and authorization object that is related to SPAD will remain there.

so if your role consist of FDTA only, from PFCG you can goto user tab,

and remove the username you wish to unassign. that is the quickest way.

hope it help you.

rgds,

Alfonsus Guritno

Hi,

As per your query you create new role in pfcg and assign to said user.

Anil

Hi,

glad to hear you are nearly resolved your issue.

from my previous illustration :

user A
is assigned role ZA, ZB and ZC.
role ZA contains tcode FDTA and SU53
role ZB contains SM37 and SP02
role ZC contains FDTA
addition :
user B
is assigned role ZA only.

there is three approach to prevent user access to a tcode:

1. remove FDTA from role (no need to unasign role from user)

in role ZA, tab menu, make sure that no FDTA there if you want to completely remove FDTA from that role. in this case, any user assigned by role ZA will not be able to execute FDTA. don't forget to save any changes made. after that, goto user tab and perform user comparison. Do the same way for role ZC.

in this case user A and user B will not be able to execute FDTA.

2. or unassign role contains FDTA from user (no need to remove tcode from role)

if you just want user A cannot execute FDTA, from role ZA, tab user, remove user A from there, save it then hit user comparison button. do the same way for the other role assigned to A that contain FDTA (in this example above = role ZC).

review from SU01, tab role, that role ZA and ZC is no longer been there anymore.

in this case, only user A unable to execute FDTA. user B still able, because role ZA is still assigned to user B.

3. from SU01, tab profile, there is powerful profile is assigned there.

some powerful profile will give user access to many tcodes. make sure that you just maintain user access only from role, not from profile for a simplification on authorization audit. remove unecessary profile that is assigned manually, and allow only profile from role is stay there (you can recognize by profile name/ description).

tcode SUIM will help you much to trace user-role-tcode assignemnt.

- SUIM > transaction > executable for user (to see if user A able to execute FDTA ?)

- SUIM > transaction > executable for role (see user A's role, and review what tcode can be executed by that role, if FDTA listed there, review that role soon! )

I guess that you haven't perform user comparison so changes on role has not been reflected to the user master.

or my second assumption, there is powerful profile assigned to that user.

hope it help you.

rgds,

Alfonsus Guritno

Hi,

as I said on my previous explanation... maintain authorization only from one component : role or profile.

maintain transaction and role and profile concurrently sometime will make you confuse.

my suggestion : from SU01, tab profile, remove unecessary profile (maybe powerful profile) that is assigned manually, and allow only profile from role is stay there (you can recognize by profile name/ description).

if you generate one role via PFCG, it will generate one profile (role-generated profile). so for user A if you assign role ZA and ZC to him :

- on SU01 tab role there is two role ZA and ZC right ?

- on SU01 tab profile there should be only two profile with description : profile for role ZA and profile for role ZB. (one role corresponding to one role-generated profile)

- remove any other profile other than this two profile mentioned above (profile for role ZA and profile for role ZB).

remember that once you unassign user from role via PFCG, if you back to SU01 tab role, removed role should not been there anymore; and jump to tab profile corresponding profile (role-generated profile) from removed role should not been there too.

hope it help you.

rgds,

Alfonsus Guritno