- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- No. of users authorised to reset/change passwords ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
No. of users authorised to reset/change passwords in SAP EWA report
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-13-2013 3:44 PM
Hi All.
In the earlywatch reports; we can see below details about users with critical authorizations
"
10.2.4 Users Authorized to Reset/Change User Passwords
The following users are authorized to change and reset the passwords of all users. This is very risky because these users could change the password of users and log on as these users themselves. The only consequence would be that the real user would no longer be able to log on because the password was changed. In this case, however, the password is normally reset because it may be that the real user has forgotten his or her password.
001 | 2 | 3 |
100 | 91 | 55540 |
Authorization objects:
Object 1: S_TCODE with TCD=SU01 or TCD=OIBB or TCD=OOUS or TCD=OPF0 or TCD=OPJ0 or TCD=OVZ5
Object 2: S_USER_GRP with ACTVT=05"
But when we check all number of users (active or inactive) which have access to SU01; it comes out as 22. Could anyone please advise how we can find the output as above(No. of users authorised to reset/change passwords) to verify the data in EWA is correct. We have received concerns from management ove the number as 91 and need to validate
Thanks
Varun
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-13-2013 7:51 PM
For something as critical as resetting passwords, you should not care about something as silly as a transaction code authorization.
As you can see, there are other transactions which can also reset passwords and the ability to do so is not only limited to transaction codes.
In this case, most likely you have taken the bait of some Su24 proposals for transactions and SU53 screenshots which have nothing to do with resetting passwords, but it was added anyway...
See SAP Note 1646257 for the correction instructions of this check which can anyway be ignored in traces / SU53 in 99% of the cases.
Cheers,
Julius
ps: Also note that EWA does not care nor know about any decentral administration or use of the "CLASS" field of S_USER_GRP. It only cares that you could reset some password at all.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-13-2013 7:51 PM
For something as critical as resetting passwords, you should not care about something as silly as a transaction code authorization.
As you can see, there are other transactions which can also reset passwords and the ability to do so is not only limited to transaction codes.
In this case, most likely you have taken the bait of some Su24 proposals for transactions and SU53 screenshots which have nothing to do with resetting passwords, but it was added anyway...
See SAP Note 1646257 for the correction instructions of this check which can anyway be ignored in traces / SU53 in 99% of the cases.
Cheers,
Julius
ps: Also note that EWA does not care nor know about any decentral administration or use of the "CLASS" field of S_USER_GRP. It only cares that you could reset some password at all.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-14-2013 12:40 PM
Thanks Julius for the details. Any idea whether I can find those 91 users list in the system by using SUIM etc. I tried for the TCODES shown in EW report; and it showed 66 unique users instead of 91.
Regards
Varun
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-14-2013 12:55 PM
Hi
1- You can get the list of user from t-code usmm -> click user classification.(if you want all the users)
2- Also in suim , there is multiple selection criteria under suim t-code -> users by complex selection criteria-> users by complex selection criteria ( you can put tcode and auth objects accordingly).
3- If you are concerned about audit point of view, you can set some rules like if a user wants password to be changed then they should raise a ticket or send mail.
4- You can monitor the change password data for a user from t code suim -> changed document (last option) -> For user -> put the sal codes or * (for all users and date).
Hope this will help you.Reply for any queries.
WR
Swati
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-14-2013 12:56 PM
In " action" column you will find the status as "password changed"
WR
Swati
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-14-2013 3:05 PM
Hi Swati,
I have tried user by complex selection criteria in SUIM; but with giving all conditions as screenshot of EWA above; it gives only 21 users. Whereas SU01 itself is with 44 users. I am not able to get number as high as shown in EWR. Need to find users whoh can change password for some other user.
Thanks
Varun
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-14-2013 5:38 PM
Use rsusr002 and enter object 1 as S_Tcode. Then try out all of the above transactions combined with object 2 = s_user_grp actvt = '05'.
Actually you can ignore tcodes. If someone can reset passwords, then you will want to know about it and not care about the tcode name...
Cheers,
Julius
- SAP Managed Tags:
- Security
