11-25-2013 10:31 PM
Hi All,
Recently we have upgraded to ECC EHP6 from ECC6. I am finding strange thing in security.
A user is able to access PU00 Tcode even though its not assigned to a user via any role.
I have checked in SAP Role Menu and in authorization data as well, but there is no PU00. Even I ran SUIM to see which roles contains PU00 Tcode but did not find the role which is assigned to the user, but user is able to access the PU00.
I even checked the TCD Couples and did not see any thing unusual. Here is the screenshot.
and also I am adding Su24 Screenshot for reference. Here it is
We do have other landscape for ECC6, where this is working fine means user is unable to access PU00 if it is not assigned via role.
I know this issue is happening because of EHP6 Upgrade only, but could not identify the reason to fix the problem.
Please let me know if any body had similar issue, how to handle this.
Regards,
Krishna
11-26-2013 4:17 PM
Hi All,
I have created the test users via Secatt script and after creation I did not validate the test users roles, by mistake secatt has assigned same role to all the user, which caused the issue.
Thanks for your interest and responses. I am closing this thread.
Regards,
Krishna R
11-26-2013 9:35 AM
Hi Krishna,
My client is also on EHP6 and we do not have this issue.
In case you used the SUIM report "Users by Transaction authorization", please note that this only checks transactions assigned through the role menu and will ignore any S_TCODE authorizations that were added manually to a role or acquired through a profile.
To make sure the user really doesn't have the authorization for PU00, please run following reports:
- SUIM - "Users by authorization values" using object S_TCODE and value PU00
- SU56 -> other user using the user's name and object S_TCODE. Search for value PU00 or any wildcards that match this transaction code (*, P*, ...)
Brent
11-26-2013 4:17 PM
Hi All,
I have created the test users via Secatt script and after creation I did not validate the test users roles, by mistake secatt has assigned same role to all the user, which caused the issue.
Thanks for your interest and responses. I am closing this thread.
Regards,
Krishna R