Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Tcodes: F-02, FB01, F-07, F-06 Unfortunately were assigned to many user

mariks
Participant
0 Kudos

Hi All,

Tcodes: F-02, FB01, F-07, F-06, F-04, FB50 were unfortunately we have given authorization to many user.

Question: Where I can find out in one screen: Roles, with t-code and whether that Role has been assigned or not to the user ID.

I am expecting the result (Below) once I give the input as F-02. Kindly provide the t.code or path to find the below result.

T.codeRoleUser ID
1F-02
2
3

Kindly advise How can remove the authorization (above t.codes) to un-necessary users ? or advise your valuable suggestions.

Thanks in advance.

Kind regards,

Mariks.

4 REPLIES 4

Former Member
0 Kudos

Hi,

You won't find one individual report to give you this information, but there are several reports/tools that together will provide this information.

The User Information System (transaction SUIM) provides a variety of access related reports.  You will probably want to start with the 'Roles by Complex Criteria' report and enter the tcode and if appropriate z* in the role field.  Once in this report you can select individual roles and see what users they are assigned to.  You can find out more information on the User Information System at User Information System - Identity Management - SAP Library

Another useful reporting tool would be the overview report in PFCG.  You could use the output from above in the selection parameters of the overview screen to identify which of the roles containing those transaction codes are assigned to a user.

Former Member
0 Kudos

Hi,

Maybe the damage is not too bad and the users that have the transaction wrongly assigned to them did not execute them? You can check by looking at the STAD data (and/or Sm20 audit log if this is activated).

A standard overview with this kind of useful information is not (yet?) available as far as I know. But you can combine table/report output and create a customized report like Patrick's example. Or use tooling that are available on the market for Security concept audits/analysis.

Former Member
0 Kudos

Hi Markis

If all the codes mentioned above are present in role menu, then you can use tables

agr_tcodes and agr_users and a bit vlookup can help you.


if not , then SUIM can help you

Business process owners and security analysts with the help of SOD can tell you which users can have which access.

Cheers

Former Member
0 Kudos

You first need to find out from the change request what the intention was, and then how it got into the wrong roles.

I faintly suspect that you are using composite roles and "doctored" the wrong single or that single was "poached" by wrong composites.

When I see things like this happening I always check to see whether there is a concept (design) error and whether this noticed error is just the tip of the iceberg.

From experience, it is 9 times out of 10 more efficient to redesign than to try to fix a mess of composite problems.

My 2 cents (you need to provide more information!),

Julius