12-02-2013 4:55 PM
Hi All,
Tcodes: F-02, FB01, F-07, F-06, F-04, FB50 were unfortunately we have given authorization to many user.
Question: Where I can find out in one screen: Roles, with t-code and whether that Role has been assigned or not to the user ID.
I am expecting the result (Below) once I give the input as F-02. Kindly provide the t.code or path to find the below result.
T.code | Role | User ID | |
1 | F-02 | ||
2 | |||
3 |
Kindly advise How can remove the authorization (above t.codes) to un-necessary users ? or advise your valuable suggestions.
Thanks in advance.
Kind regards,
Mariks.
12-02-2013 7:22 PM
Hi,
You won't find one individual report to give you this information, but there are several reports/tools that together will provide this information.
The User Information System (transaction SUIM) provides a variety of access related reports. You will probably want to start with the 'Roles by Complex Criteria' report and enter the tcode and if appropriate z* in the role field. Once in this report you can select individual roles and see what users they are assigned to. You can find out more information on the User Information System at User Information System - Identity Management - SAP Library
Another useful reporting tool would be the overview report in PFCG. You could use the output from above in the selection parameters of the overview screen to identify which of the roles containing those transaction codes are assigned to a user.
12-02-2013 8:40 PM
Hi,
Maybe the damage is not too bad and the users that have the transaction wrongly assigned to them did not execute them? You can check by looking at the STAD data (and/or Sm20 audit log if this is activated).
A standard overview with this kind of useful information is not (yet?) available as far as I know. But you can combine table/report output and create a customized report like Patrick's example. Or use tooling that are available on the market for Security concept audits/analysis.
12-02-2013 8:44 PM
Hi Markis
If all the codes mentioned above are present in role menu, then you can use tables
agr_tcodes and agr_users and a bit vlookup can help you.
if not , then SUIM can help you
Business process owners and security analysts with the help of SOD can tell you which users can have which access.
Cheers
12-02-2013 9:07 PM
You first need to find out from the change request what the intention was, and then how it got into the wrong roles.
I faintly suspect that you are using composite roles and "doctored" the wrong single or that single was "poached" by wrong composites.
When I see things like this happening I always check to see whether there is a concept (design) error and whether this noticed error is just the tip of the iceberg.
From experience, it is 9 times out of 10 more efficient to redesign than to try to fix a mess of composite problems.
My 2 cents (you need to provide more information!),
Julius