cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to select - Who did create ABAP user? Why Provisioning was started?

Former Member

on ‎04-08-2014 1:02 PM

0 Kudos

Dear Guru,

Could you please help me to understand how to find the person who created ABAP user via SAP IDM (7.2 SP9, Win2012R2, Oracle11g)?

The story was following:

1. User in IDM had role

2. Administrator add privileges to this user's role, one of privileges was PRIV:<SIDCLNT>:ONLY

3. IDM run Provisioning tasks and created user in ABAP system.

All was correct.

Now after some time I need to know who created ABAP user in SAP.

I try to find what tasks were processed  the user with mskeyvalue='104622':

select A.auditid, A.AuditRoot, A.RefAudit auditParent , A.userid , A.StartedBy, A.taskid,t.taskname, A.mskey, A.PostedDate, A.StatusDate, A.provstatus, A.LastAction , A.msg

from MXP_AUDIt A, MXP_tasks t where A.taskId = t.taskID

and A.msKey in (select mcmskey from idmv_entry_simple where mcmskeyvalue='104622' and MCentrytype='MX_PERSON')

and posteddate between to_date('17.03.2014 15:47','dd.mm.yyyy hh24:mi') and to_date('17.03.2014 15:50','dd.mm.yyyy hh24:mi')

order by auditroot,RefAudit

and see result:

So I have auditid=159626 and auditroot=159625 for task "1. Create HR ABAP User".

That's all that I can find about it.

In this concrete situation I know that administrator change the user's role and as result user was created.

If I check MXP_AUDIt for previous AUDITID values (159624,159623,159622,159621) I will really know that it's auditsid for role changing with same fererenced value refaudit=159621:

select * from mxp_audit where refaudit=159621

My question is:

how to connect these events: role change (auditid=159621) and Provisioning started (auditid=159625) ?

Best regards,

Natalia.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎04-08-2014 1:24 PM
0 Kudos

Hi Natalia,

You can check table mxi_link, use this select:

SELECT * FROM mxi_link WHERE mcthismskey=<usermskey> AND mcothermskey=<privmskey>;

from here you can take: MCADDAUDIT and use it:

select * from mcmv_audit where auditref=<MCADDAUDIT>;

From the second result check: MCMV_MAKSSY and USER_ID and see if this will help.

Kind regards,

Simona

Show replies
Show replies
Former Member
‎04-08-2014 2:22 PM
0 Kudos

Hi Simona,

I tried your select, but it's not clear for me where is the answer:

mcthismskey,mcothermskey,mcchangenumber,mcmodifyaudit,mcauditid,mcauditid,mclastaudit,MCADDAUDIT  FROM mxi_link WHERE mcthismskey=56327

mcmodifytime between to_date('17.03.2014 15:47','dd.mm.yyyy hh24:mi') and to_date('17.03.2014 15:50','dd.mm.yyyy hh24:mi') order by mcmodifytime

And then

select * from mcmv_audit where auditref=159625

I got the result:

But I don't see connection between Provisioning audit and "Change role" task.

best regards,

Natalia.

Former Member
‎04-08-2014 2:41 PM
0 Kudos

Hi Natalia,

  Check the second result and see if the values into column USER_ID are mskeys of users.

For example, check:

  select * from idmv_vallink_basic where mskey=601;

or

  select * from idmv_vallink_basic where mskey=330;

BR,

Simona

Former Member
‎04-09-2014 7:09 AM
0 Kudos

Simona,

The following is a formal description of the UserId field of the mxp_audit table:

UserId

     ::= UserMsKey | OnEvent | AttrEvent | EntryEvent

UserMsKey

  ::= Number -- MSKEY of user performing the operation

OnEvent

    ::= “+” TaskId “:” TaskName

TaskId

     ::= Number -- Id of task

TaskName

   ::= String -- Name of task

AttrEvent

  ::= “#” AttrId “:” Operation “;” CheckSum “;” OldValuesId

AttrId

     ::= Number -- ID of attribute

CheckSum

   ::= Number -- MD5 hash of entry

OldValuesId

::= Number -- Reference to mxi_old_values.old_ID

EntryEvent

::= “*” EntryId “:” Operation

EntryId

    ::= Number -- ID of entry

Operation

  ::= “INSERT” | “MODIFY” | “DELETE”

So it cannot be MSKEY of user, 601 - is number of Deprovisioning task and 330 is number of attribute.

Best regards,

Natalia.

Former Member
‎04-09-2014 8:01 AM
0 Kudos

Hi Natalia,

First, do you use UI task to create the user in SAP and if so, do you have directly under this task  action task or some other task, that has a job log. Because if you have only UI task I'm not sure that you can get the user responsible.

Kind regards,

Simona

Former Member
‎04-09-2014 8:39 AM
0 Kudos

Hi Simona,

I use standart IDM task "Modify Role", in this task I add SAP privileges to role. As result user, who have been assigned this role, get the privilige PRIV:<SYSTEM>:ONLY. As result, system run standart Provisioning tasks and user are created in SAP ABAP system (after task "Create ABAP user").

Best regards,

Natalia.

Former Member
‎04-09-2014 8:53 AM
0 Kudos

Hi Natalia,

Then from the job log in task "Modify Role" you can get the auditID and use it here:

select * from mcmv_audit where auditref=<auditID>; to get the mskey of the user executing the UI task(his id should be in column USER_ID).

BR,

Simona

Ask a Question