09-04-2013 12:11 PM
Dear All,
I have close to 100 roles, where in the Authorization Object S_TABU_DIS is configured as below
Actvt 03
Authorization Group *
Actvt 02, 03
Authorization Group *
Few Display roles are configured like below
Actvt 03
Authorization Group *
Few Business Roles are configured like below
Actvt 02, 03
Authorization Group *
We have got a request from the management to update the Authorization Object S_TABU_DIS in all the 100 roles..such that each role should be updated with the Respective Authorization Groups based on the Transaction Codes which use the Authorization Object S_TABU_DIS in that specific role.
For Example: We have the beow Transaction Codes in different roles which user the Authorization Object S_TABU_DIS. Currently we that Roles are configured for both Change/Display for all Authorization Groups.
Role 1. KO30, KO32, OA90, OAVI, OAW3 |
Role 2. KO30, KSPI, KSS4 |
Role 3. KB61, KB64, KB65, KSII, KSS2 |
I need to find out which Authorization groups are used by each Transaction Code. Do we have a Program/Report in SAP?
I did suggested to put on a trace and run each Transaction Code and find the Authorization Group, however this is time consuming. Looking for an alternative.
Please help on this.
Regards
09-05-2013 7:03 AM
Hi Security 13 Team
You can obtain some of the transaction to S_TABU_DIS mapping where the transaction code is an SM30/31/34 call
To do this, you can go to table TSTCP in ALV mode and filter for PARAM contains '/*SM3*'. Within the PARAM results you can locate the tables/views/etc and then go to table TDDAT to look up the table to auth group mapping.
This will not give you transactions where the program contains a call for S_TABU_DIS. You might be able to look at SU24 data (USOBT_C and USOBX_C) to see if there are any proposals.
After that you may need to look at testing each transaction in the roles and mapping them out - back to your comment about testing/tracing each transaction.
As another consideration, if you are being asked to lock down S_TABU_DIS you should also consider removing it as much as possibly and granting S_TABU_NAM to the specific table instead.
Mess in a system is always time consuming to clean up.
09-04-2013 7:52 PM
Hello,
In the standard menu,
you can see this menu. so that you could use various information from flexible combination input.
Thanks.
09-05-2013 7:03 AM
Hi Security 13 Team
You can obtain some of the transaction to S_TABU_DIS mapping where the transaction code is an SM30/31/34 call
To do this, you can go to table TSTCP in ALV mode and filter for PARAM contains '/*SM3*'. Within the PARAM results you can locate the tables/views/etc and then go to table TDDAT to look up the table to auth group mapping.
This will not give you transactions where the program contains a call for S_TABU_DIS. You might be able to look at SU24 data (USOBT_C and USOBX_C) to see if there are any proposals.
After that you may need to look at testing each transaction in the roles and mapping them out - back to your comment about testing/tracing each transaction.
As another consideration, if you are being asked to lock down S_TABU_DIS you should also consider removing it as much as possibly and granting S_TABU_NAM to the specific table instead.
Mess in a system is always time consuming to clean up.
09-05-2013 3:29 PM
Hi Lee,
Your solution has solved almost 70% of my Task. For Rest of the Transactions I need to put on a trace and find it manually.
Thank you!!.
Regards
09-05-2013 10:53 AM
Hi,
To check, the previous values and update the new values for the auth.obj ' S_TABU_DIS ' in the roles, please try these steps
Goto SUIM -->Roles-->By Authorization values -->entry auth object (S_TABU_DIS) and click on entry values. You shall be asked to enter ACTVT values and also the AUTH group. Enter the relevant ones and ..once you see the roles, double click on any of the role and modify the auth object values with the new values. Hope this helps.
Mj