- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- Authorization Checks data incorrect in SOLMAN EWA ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Authorization Checks data incorrect in SOLMAN EWA report
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-10-2012 1:19 PM
I am analyzing the authorization checks section of EWA report. I see the report is showing the incorrect data.
For example in report section "Users Authorized to Display all Tables" (S_TABU_DIS with ACTVT = 03 or 02 and DICBERCLS = *) I can see 50 users.Its ok.
but when I use SUIM to get the report of all roles with se16 or sm30 with the same criteria, i get the roles list but once I check the S_TABU_DIS for activity 03 or 02, I see DICBERCLS is maintained with authorization groups and not * which is shown in EWA report. I cross checked all the roles, but there is no single role matained with DICBERCLS= *. Than how the reports shows 50 users affected.
I think if we already have DICBERCLS maintained to authorization groups, than it should not be reported as DICBERCLS= * in EWA report.
Please let me know if its a known issue. Same case for other auth issues like SE38 report.(S_PROGRAM with P_ACTION=SUBMIT P_GROUP=*).
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-13-2012 8:01 PM
Is the report coded as this >S_TABU_DIS with ACTVT = 03 or 02 and DICBERCLS = *
or is it coded like this > S_TABU_DIS with ACTVT = 03 or 02 and DICBERCLS = "*"
the first one will return everything with 03 or 02 and all auth groups
the second one will return everything with 03 or 02 and only those with an auth group that is specifically *
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-10-2012 9:21 PM
try scanning your roles in agr_1251 looking for low value #* and field dicberclas
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-11-2012 9:15 AM
Perhaps the 50 users have SAP_ALL (manual profiles, and not roles..)?
Cheers,
Julius
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-11-2012 9:42 AM
SAP_ALL is not assigned to anyone in the organization.
I think EWA report uses SUIM report for search criteria. Because when I use SUIM -> users by authorization values, it report all the users. Than when I manaully goto user roles I see authorization group is already maintained and there is no DICBERCLS= * as EWA or SUIM reports.
Though agr_1251 shows that * is not assigned to the roles as SUIM/EWA report. So I wish to know is the SUIM and EWA reports are not reliable or its a known issue.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-12-2012 6:27 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-13-2012 8:01 PM
Is the report coded as this >S_TABU_DIS with ACTVT = 03 or 02 and DICBERCLS = *
or is it coded like this > S_TABU_DIS with ACTVT = 03 or 02 and DICBERCLS = "*"
the first one will return everything with 03 or 02 and all auth groups
the second one will return everything with 03 or 02 and only those with an auth group that is specifically *
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-13-2012 9:02 PM
Not quite correct, but often mimics the same as "*" is not a valid value to only fullfilled by a real *.
#* excapes the pattern and checks for a real *.
#** escapes the pattern, explodes the value range of the field and checks whether all values in the value range are included in the authorizations (* or ranges or select all).
But this was only consistently implemented in all reports a few years ago, so if the SP of the system is very old, then these operators might not work as expected.
CHeers,
Julius
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-17-2012 1:48 PM
Thanks Julius and Melissa,
i tried with both the suggestions "*" and #*, both provided the correct results in SUIM. And after analyzing the outputs, I think these are the correct roles which have * defined in authorization group.
But does EWA report provides the correct report or it reports the same incorrect result as auth group = * because I see EWA report providing more outputs that the actual results found by "*".
Is there any known issue related to it.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-18-2012 9:18 AM
Hi Sameer,
Have you raised a message with SAP? I recently raised a message because I found some incorrect authorization check data in the Security Optimization Service (which I believe uses some of the EWA reports - I may be wrong on this).
SAP were very quick to test this and identify that there was an issue with the code, which should be resolved shortly.
One other thing you could check, if only because SAP will ask you about SAP_ALL, independently assigned profiles etc, is whether the affected users have a reference user assignment from which they are gaining the extra auths. From what you wrote above I doubt this is the case, but if you open an SAP message stating that you have checked all these possibilities, it will allow them to rule out any obvious causes and diagnose the problem more quickly.
- SAP Managed Tags:
- Security
