cancel
Showing results for 
Search instead for 
Did you mean: 

ARQ: Does LDAP User Search action require any special authorization for requester???

former_member184114
Active Contributor
0 Kudos

Hi All,

I was wondering if requester need to be given any special authorization to search users in LDAP?

Because, I have noticed that a requester can not search users from LDAP. However, another user who is a super user in GRC system and has SAP_ALL profile assigned, can search users from LDAP easily!

I have noticed only this change between these two users and not sure what authorizations should be granted to requester to search users from LDAP. I have tried to search relevant auth. object in his role "SAP_GRAC_ACCESS_REQUESTER" but could not find. I also check security guide for this but did not get any details.

Can anyone advise?

Regards,

Faisal

Accepted Solutions (1)

Accepted Solutions (1)

alessandr0
Active Contributor
0 Kudos

Dear Faisal,

check in SLG1 what authorization is missing for the user who cannot search from LDAP.

Regards,

Alessandro

alessandr0
Active Contributor
0 Kudos

Dear Faisal,

I assume that authorization object S_LDAP must be authorized with activity 3 (Display) and 51 (Initialize). But as mentioned you will find the issue in SLG1 or alternatively you can check via system trace (ST01) for authorization check.

Regards,

Alessandro

former_member184114
Active Contributor
0 Kudos

Dear Alessandro,

I added this object in "YAC_ACCESS_REQUESTER" (copied from SAP_GRAC_ACCESS_REQUESTER )  role and maintained LDAP connector details.

However, still requester can not search users from LDAP.

Any advise please?

Regards,

Faisal

alessandr0
Active Contributor
0 Kudos

What says SLG1/ST01? Did you check?

former_member184114
Active Contributor
0 Kudos

No logs are found in SLG1 for the requester and I did not check in ST01.

Can you please help me how I can trace this using ST01?

Regards,

Faisal

former_member184114
Active Contributor
0 Kudos

Alessandro,

I switched on trace using ST01 for one of the requesters and viewed its details later. I found RC=4 or 12 for some of the auth. objects.

For example:

I opened of of the records and could see above details. I am unable to interpret it further. Can you please assist in this?

Regards,

Faisal

former_member184114
Active Contributor
0 Kudos

Only value 51 (Initialize) was maintained in field ACTVT for object S_LDAP. I added 03 (Display) for the same field and it got through!

Regards,

Faisal

Answers (0)