on 04-08-2014 1:02 PM
Dear Guru,
Could you please help me to understand how to find the person who created ABAP user via SAP IDM (7.2 SP9, Win2012R2, Oracle11g)?
The story was following:
1. User in IDM had role
2. Administrator add privileges to this user's role, one of privileges was PRIV:<SIDCLNT>:ONLY
3. IDM run Provisioning tasks and created user in ABAP system.
All was correct.
Now after some time I need to know who created ABAP user in SAP.
I try to find what tasks were processed the user with mskeyvalue='104622':
select A.auditid, A.AuditRoot, A.RefAudit auditParent , A.userid , A.StartedBy, A.taskid,t.taskname, A.mskey, A.PostedDate, A.StatusDate, A.provstatus, A.LastAction , A.msg
from MXP_AUDIt A, MXP_tasks t where A.taskId = t.taskID
and A.msKey in (select mcmskey from idmv_entry_simple where mcmskeyvalue='104622' and MCentrytype='MX_PERSON')
and posteddate between to_date('17.03.2014 15:47','dd.mm.yyyy hh24:mi') and to_date('17.03.2014 15:50','dd.mm.yyyy hh24:mi')
order by auditroot,RefAudit
and see result:
So I have auditid=159626 and auditroot=159625 for task "1. Create HR ABAP User".
That's all that I can find about it.
In this concrete situation I know that administrator change the user's role and as result user was created.
If I check MXP_AUDIt for previous AUDITID values (159624,159623,159622,159621) I will really know that it's auditsid for role changing with same fererenced value refaudit=159621:
select * from mxp_audit where refaudit=159621
My question is:
how to connect these events: role change (auditid=159621) and Provisioning started (auditid=159625) ?
Best regards,
Natalia.
Hi Natalia,
You can check table mxi_link, use this select:
SELECT * FROM mxi_link WHERE mcthismskey=<usermskey> AND mcothermskey=<privmskey>;
from here you can take: MCADDAUDIT and use it:
select * from mcmv_audit where auditref=<MCADDAUDIT>;
From the second result check: MCMV_MAKSSY and USER_ID and see if this will help.
Kind regards,
Simona
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Simona,
I tried your select, but it's not clear for me where is the answer:
mcthismskey,mcothermskey,mcchangenumber,mcmodifyaudit,mcauditid,mcauditid,mclastaudit,MCADDAUDIT FROM mxi_link WHERE mcthismskey=56327
mcmodifytime between to_date('17.03.2014 15:47','dd.mm.yyyy hh24:mi') and to_date('17.03.2014 15:50','dd.mm.yyyy hh24:mi') order by mcmodifytime
And then
select * from mcmv_audit where auditref=159625
I got the result:
But I don't see connection between Provisioning audit and "Change role" task.
best regards,
Natalia.
Simona,
The following is a formal description of the UserId field of the mxp_audit table:
UserId
::= UserMsKey | OnEvent | AttrEvent | EntryEvent
UserMsKey
::= Number -- MSKEY of user performing the operation
OnEvent
::= “+” TaskId “:” TaskName
TaskId
::= Number -- Id of task
TaskName
::= String -- Name of task
AttrEvent
::= “#” AttrId “:” Operation “;” CheckSum “;” OldValuesId
AttrId
::= Number -- ID of attribute
CheckSum
::= Number -- MD5 hash of entry
OldValuesId
::= Number -- Reference to mxi_old_values.old_ID
EntryEvent
::= “*” EntryId “:” Operation
EntryId
::= Number -- ID of entry
Operation
::= “INSERT” | “MODIFY” | “DELETE”
So it cannot be MSKEY of user, 601 - is number of Deprovisioning task and 330 is number of attribute.
Best regards,
Natalia.
Hi Simona,
I use standart IDM task "Modify Role", in this task I add SAP privileges to role. As result user, who have been assigned this role, get the privilige PRIV:<SYSTEM>:ONLY. As result, system run standart Provisioning tasks and user are created in SAP ABAP system (after task "Create ABAP user").
Best regards,
Natalia.
User | Count |
---|---|
82 | |
10 | |
10 | |
9 | |
6 | |
6 | |
5 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.