Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

To Find Users with critical authorization

Former Member

‎10-18-2006 3:26 PM

0 Kudos

Hello Gurus,

I am trying to retrieve users with critical authorization from SUIM transaction. The System is SAP R/3 4.6B.

For eg. To find Users with access to transaction SU01. Here is the search criteria: Based on Auth objects S_USER_AUT and S_USER_PRO with activity 01 or 02, the roles were extracted. Then Users assigned to that role are found.

Similarly, To find users with access to transaction SCC4.

Object Retrieved through S_TCODE with SCC4 and S_TABU_CLI with 'X' and S_TABU_DIS with activity 01 or 02 ,group 'ss'.

To find users with access to migrate transport to Production:

S_TRansport with 01 or 02 and 60 or 05

Is this the right way or what other search criteria i could use? Please help. It is kind of urgent.

Any help will be appreciated with Points.

Thanks.

5 REPLIES 5

Former Member

‎10-18-2006 4:45 PM

0 Kudos

Some comments which might help:

1) Be carefull In 46B... the SUIM reports have many errors. Make sure you have the various SAP notes installed (at least those for which 46B is still supported) otherwise chances are good that you will get a nonsense result for your search.

2) Do not include S_TCODE (e.g. = SU01 or SCC4) in the search for critical authorizations. If something is critical, you should not care how the user gets there.

3) For user / authorization management check also object S_USER_GRP and for more objects and activities.

For client maintenance you might also want to check whether table T000 actually has the authorization group 'SS' (table TDDAT field CLASS). Do not include SCC4 in the search.

For the transport management system, S_TRANSPRT is a good start. There are also more critical things here than just the user authorizations to create / release / import transports.

If you want to check up on objects and what the various fields and activities are documented to do, I recommend transaction SU21.

Good luck!

Former Member

‎10-18-2006 8:04 PM

0 Kudos

from se38 use report RSUSR008

Former Member
In response to Former Member

‎10-19-2006 10:32 PM

0 Kudos

Sorry to disagree with you Siva, but rsusr008 is about as usefull as a thermometer to find critical authorizations in SAP.

At release 46B, it is about as usefull as a thermometer filled with glue instead of mercury.

Forget about transaction codes when evaluating authorizations required for functionality which you consider to be critical.

Former Member

‎12-19-2006 3:36 PM

0 Kudos

Completed task with help/comments from post

manohar_kappala2
Contributor

‎12-20-2006 7:17 AM

0 Kudos

Hi,

my suggestion is that go from bottom up approach.

1)first list out the critical Auth Objects which are critical to your scenario(for eg S_TABU_DIS, S_DEVELOP,S_PROGRAM, S_ADMI_FCD, S_TRNSPRT, S_CTS_ADMI to name a few)

2) Then see who has the ACTVT field 01,02, 06 which might be risky, you might need to consider 03 for S_TABU_DIS also critical when it refers to HR tables.

3) then find the tcodes in the roles associated to that role which might use this access at Auth Obj.

4) And finally always depend on direct table data (SE16) for analysis rather than SUIM which might be error prone.

The tables which you can look for are AGR_1251 for getting critical Auth Objects and then the tcodes if you search with S_TCODE Auth Obj.

The above could be a way of doing it not necessary that this should be the only way, if you have other options which might give you results with significant level of accuracy and reliability then u can afford them too.

Regards,

Manohar