Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Is there a way in SAP to check what all Authorization Groups are used by Transaction Codes.

Go to solution
Former Member

‎09-04-2013 12:11 PM

0 Kudos

Dear All,

I have close to 100 roles, where in the Authorization Object S_TABU_DIS is configured as below

Actvt 03

Authorization Group *

Actvt 02, 03

Authorization Group *

Few Display roles are configured like below

Actvt 03

Authorization Group *

Few Business Roles are configured like below

Actvt 02, 03

Authorization Group *

We have got a request from the management to update the Authorization Object S_TABU_DIS in all the 100 roles..such that each role should be updated with the Respective Authorization Groups based on the Transaction Codes which use the Authorization Object S_TABU_DIS in that specific role.

For Example: We have the beow Transaction Codes in different roles which user the Authorization Object S_TABU_DIS. Currently we that Roles are configured for both Change/Display for all Authorization Groups.

Role 1.  KO30, KO32, OA90, OAVI, OAW3
Role 2.  KO30, KSPI, KSS4
Role 3.  KB61, KB64, KB65, KSII, KSS2

I need to find out which Authorization groups are used by each Transaction Code. Do we have a Program/Report in SAP?

I did suggested to put on a trace and run each Transaction Code and find the Authorization Group, however this is time consuming. Looking for an alternative.

Please help on this.

Regards

1 ACCEPTED SOLUTION

Go to solution
Colleen
Advisor
Advisor

‎09-05-2013 7:03 AM

0 Kudos

Hi Security 13 Team

You can obtain some of the transaction to S_TABU_DIS mapping where the transaction code is an SM30/31/34 call

To do this, you can go to table TSTCP in ALV mode and filter for PARAM contains '/*SM3*'. Within the PARAM results you can locate the tables/views/etc and then go to table TDDAT to look up the table to auth group mapping.

This will not give you transactions where the program contains a call for S_TABU_DIS. You might be able to look at SU24 data (USOBT_C and USOBX_C) to see if there are any proposals.

After that you may need to look at testing each transaction in the roles and mapping them out - back to your comment about testing/tracing each transaction.

As another consideration, if you are being asked to lock down S_TABU_DIS you should also consider removing it as much as possibly and granting S_TABU_NAM to the specific table instead.

Mess in a system is always time consuming to clean up.

4 REPLIES 4

Go to solution
Former Member

‎09-04-2013 7:52 PM

0 Kudos

Hello,

In the standard menu,

you can see this menu. so that you could use various information from flexible combination input.

Thanks.

Preview file
62 KB

Go to solution
Colleen
Advisor
Advisor

‎09-05-2013 7:03 AM

0 Kudos

Hi Security 13 Team

You can obtain some of the transaction to S_TABU_DIS mapping where the transaction code is an SM30/31/34 call

To do this, you can go to table TSTCP in ALV mode and filter for PARAM contains '/*SM3*'. Within the PARAM results you can locate the tables/views/etc and then go to table TDDAT to look up the table to auth group mapping.

This will not give you transactions where the program contains a call for S_TABU_DIS. You might be able to look at SU24 data (USOBT_C and USOBX_C) to see if there are any proposals.

After that you may need to look at testing each transaction in the roles and mapping them out - back to your comment about testing/tracing each transaction.

As another consideration, if you are being asked to lock down S_TABU_DIS you should also consider removing it as much as possibly and granting S_TABU_NAM to the specific table instead.

Mess in a system is always time consuming to clean up.

Go to solution
Former Member
In response to Colleen

‎09-05-2013 3:29 PM

0 Kudos

Hi Lee,

Your solution has solved almost 70% of my Task. For Rest of the Transactions I need to put on a trace and find it manually.

Thank you!!.

Regards

Go to solution
former_member186775
Contributor

‎09-05-2013 10:53 AM

0 Kudos

Hi,

To check, the previous values and update the new values for the auth.obj ' S_TABU_DIS '  in the roles, please try these steps

Goto SUIM -->Roles-->By Authorization values -->entry auth object (S_TABU_DIS) and click on entry values. You shall be asked to enter ACTVT values and also the AUTH group. Enter the relevant ones and ..once you see the roles, double click on any of the role and modify the auth object values with the  new values. Hope this helps.

Mj