Solved: Many AO in SU24

Former Member · ‎05-26-2011

Hi Friends,

I wanted to find out which authorization object is responsible for which transaction code.This i can find using trace(ST01).

However in SU24 for a particular transaction code many authorization objects proposal is Yes which means they will be loaded in PFCG.

My doubt is when trace(ST01) says 1 transaction code require 1 authorization object to perform our activity, then why many A.O's proposal is set to yes in SU24.

Regards,

Bharath

arpan_paik · ‎05-26-2011

Guess you might have done with SU01 using... Now does this transaction require same authorization for all the below action?

1. Password reset, lock/unlock

2. User creation

3. User deletion

4. ROle assignment

many more....

Regards,

Arpan Paik

arpan_paik · ‎05-26-2011

Guess you might have done with SU01 using... Now does this transaction require same authorization for all the below action?

1. Password reset, lock/unlock

2. User creation

3. User deletion

4. ROle assignment

many more....

Regards,

Arpan Paik

Former Member · ‎05-26-2011

Hi Arpan,

Thanks for the information. I got your point.

So, for every functionality there is one authorization object. So which ever functionality we want to enable we set the proposal Yes for that A.O.

However finding out functionality of each A.O from ST01 and enabling them is a tedius process.

Is there a eazy way to find the functionality of each A.O in in order to set up SU24 during the security implementation?

What is the best approach followed to set up SU24.

Regards,

Bharath

Former Member · ‎05-26-2011

Hi Bharath

finding out functionality of each A.O from ST01 and enabling them is a tedius process.
Is there a eazy way to find the functionality of each A.O in in order to set up SU24

Giving all the access for a transaction in one go to make it easy probably means you're missing the point of S&A finesse and you'll not really understand what why where things are happening and allowing more access than needed. Take 'tedious' as 'interesting'...

Cheers

David

Former Member · ‎05-26-2011

Hi Bharath,

During security implementations the thrust lies on Tcode segregation and not much on functionalitiues with in a tcode...With the SU01 example provided earlier,usually it becomes evident that if some one is authorized to use SU01 then he should have all functionalities with in the tcode unless the business/IT confirms that there is a segregation within User admins...

So in short, we can have SU01 added to the roles and required A.O will be populated automatically...(With all Check/Maintain objects)... May be it is worthwhile to spend considerable time with business to identify any specific requirements with Enjoy transactions, Finance Post/Park tcodes where usually there would be some requirements to segregate users with functionality within the same tcode.. Such business workshops would be nteresting as quite a few times, the process teams bump across multiple tcodes that can perform the same functionality and the teams sprint to get the new tcode added to their respective users

Hope it helps..

~Sri

arpan_paik · ‎06-01-2011

SU24 should only be maintained if it is required. For custom also you need to maintain it. Now take SU01 as example. The admin is aloowed for reset password only. You can deactivate other objects rather that S_USER_GRP inside the role itself instead of maintaining SU24. As in some other role other objects are required.

Other hand do not rely on trace blindly. Try to relate objects with transactions. You may find many business txn calling BC class objects. Also explore object documentation in SU21. Alternatively inside role double click on object description to read the documention. Really interesting.

regards,

Arpan Paik

former_member204634 · ‎05-26-2011

Hi Bharath,

Can you let us know which transaction are you referring to? Its possible that the activity you are going to perform inside that t-code requires authorization check for just one authorization object while for some other scenario/some other task it may require authorization check on some other objects and hence it may not show up in ST01 trace.

You can also find out which authorization object is pulled in authorization data tab when a t-code is added to a role inside PFCG by clicking on "sun-mountain" type button besides status of that authorization object (i.e on left hand side of status of object for e.g standard/maintained etc) or you can check the SAP program corresponding to the t-code and check for authorization checks performed and objects called.

Hope it helps.

Best Regards,

Prashant Tripathi

Former Member · ‎05-26-2011

Hi Bharath,

You are only getting one A.O in ST01 trace because user might have not performed the entire functionality of that T-code. If the entire functionality would have been performed there would have been other objects as well which wouldd have been checked thats why so many A.O are maintained at SU24 level.

The best way to Maintain SU24 is by initially performing a test of that T-code with functional people by providing them wider access and run a trace in the background which will capture all the objects that will be called for a particular T-code and then accordingly you can maintain the SU24 values.

Thanks.

Former Member · ‎05-30-2011

Hi,

Authorization objects are maintained in SU24 for a particular transaction code. When a transaction code is added to role, only the authorization objects having check as check indicator value and yes as proposal value, maintained for that tcode will be added into the role group.

Proposal YS means The object will be inserted along with the values in the role. The object will be checked along with the values during runtime of the transaction.

Proposal No means This object will not be inserted into the roles. A check on the object along with the values will be done during the runtime of the transaction.

In your example, you may have done only one particular activity of that particular tcode. So the trace result is showing only one authorization object related to your performed activity.

When you perform other activitie(s) related authorization object(s) will be displayed in trace results.

Regards,

Vinod.