Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Need to alert security team every time when a new authorization object is created

0 Kudos

Hi,

There is a requirement, when new authorization object is created in SU21 then alert or mail will sent to security team every time? Is their any BADI or Exit available to write the code? or Is there any standard workflow task that we could cover this requirement?

Thanks and Regards

Sudarshan Gaikwad

1 ACCEPTED SOLUTION

0 Kudos

Hi All,

Thanks for your reply and suggestion. Those suggestion really help me to reach to my solution.

I have resolved this by implicit enhancement at the time of saving the authorization object in SU21.

As I have found the PGMID = R3TR, OBJECT = SUSO and OBJ_NAME = ZTEST (Authorization object name).

  1. Sr.No

Implicit Enhancement

Purpose of Enhancement

Comments

1

LTMW_PROJECT_LOCKF01

When transport request will save then in this Include we can trigger our code

Useful for our requirement

We can do it programmatically in other ways also but in my case we required to implement it into Implicit enhancement point only.

Other options are also we can consider as below.

  1. Sr.No

BADI Name

Purpose of BADI

Comments

1

CTS_CURRENT_PROJECT

On the basis of Authorization object check (SUSO) we can proceed to our requirement

Useful for our requirement

6 REPLIES 6

martin_voros
Active Contributor
0 Kudos

Hi,

That is an interesting and unusual requirement. I doubt that there is anything standard from SAP. You could try to find a suitable implicit enhancement point to trigger custom code. Another simple solution would be to schedule a job that would read change documents. This would not be real time but it may be sufficient. May I ask how often do you create a new authorization object?

Cheers

0 Kudos

Often the creation of an auth object and checking it in a program bypasses the security folks who maintain SU24 and roles.

So such an alert can be useful as a ping to ask what the object is for and which tcodes / roles it belongs to.

I use a slightly similar approach to alert about testing the QAS system.

If they transport the program without the object, then it cannot pass an auth test and alerts.

If they transport the object as well, then alerts if they test and the check fails.

If they transport to production in the wrong sequence or do not test, then it fails in production.

Probably another good check point earlier in the process would be the TMS BADI -> if an authorization object is in a transport being released, then send an alert mail from the DEV system is sent. You will get a few false-positives if whole packages are transported, but at least you will get to hear about it, and upgrades, etc.

Not a bad idea!

Cheers,

Julius

0 Kudos

Hi,

I understand why a notification about new authorization is a good idea. But it seems to me that technical solution is overkill for an event that happens not so often in my experience. Your idea of using BADI for transport release is a good solution That uses BADI delivered by SAP. Another would be to remove authorization in DEV to create object so they would have to request it.

Cheers

0 Kudos

Not sure whether removing S_DEVELOP auths in DEV will last very long.

The TMS BADI has the advantage that they can develop in peace -> check happens when they decide they are ready to transport.

Cheers,

Julius

gangadharvegi
Advisor
Advisor
0 Kudos

Hi Sudarshan,

Exclude Value "SUSO" from the "Object type"(OBJTYPE) in Authorization object S_DEVELOP of users.

This will prevent users from creating.

Create a separate role with this access and give to the users on case basis or Put in Fire fighter ID and assign to them if you have GRC system in place which will notify concern person 🙂

Regards,

Gangadhar

0 Kudos

Hi All,

Thanks for your reply and suggestion. Those suggestion really help me to reach to my solution.

I have resolved this by implicit enhancement at the time of saving the authorization object in SU21.

As I have found the PGMID = R3TR, OBJECT = SUSO and OBJ_NAME = ZTEST (Authorization object name).

  1. Sr.No

Implicit Enhancement

Purpose of Enhancement

Comments

1

LTMW_PROJECT_LOCKF01

When transport request will save then in this Include we can trigger our code

Useful for our requirement

We can do it programmatically in other ways also but in my case we required to implement it into Implicit enhancement point only.

Other options are also we can consider as below.

  1. Sr.No

BADI Name

Purpose of BADI

Comments

1

CTS_CURRENT_PROJECT

On the basis of Authorization object check (SUSO) we can proceed to our requirement

Useful for our requirement