How to find T-code History with role

Former Member · ‎08-20-2015

Hi Experts,

I am facing one critical issue. One user was having access of one T-code but suddenly he is getting message that he is not authorized for that T-code. I have checked any change for his user id but no changes has been done. Even When I am searching the roles of that particular T-code from SUIM, I am not getting role name. I have checked from ST03N last month history, that t-code was accessed by him.

Please advise how to find out that from which role user has accessed this t-code ? Please help as this is critical requirement for me.

Thanks in advance !

Regards,

Lokesh Bajaj

Former Member · ‎08-20-2015

There's no way to find out which role allowed a user to access a transaction code in the past. That information is not held anywhere. You say no changes have been made to the user, so that must mean changes have been made to one of the user's roles. Look at change documents for those roles.

Steve.

Former Member · ‎08-20-2015

Hi Steve,

Thanks for your prompt response. It is very difficult to check all change documents of all roles assigned to that user.

Thanks !

Former Member · ‎08-20-2015

How many role changes do you make? Is looking at changes to all roles in the last month feasible? You can do that in one step.

Remember to do this in your development system, though - roles changes aren't made in production, so you won't find any there...

Steve.

Colleen · ‎08-21-2015

Hi Lokesh

Quick etiquette - there is an unwritten assumption that everyone who posts to SCN asking for assistance has critical issue (to them) or urgent. No need to write it as anyone who responds to you is doing it in their free time. If anything, you might annoy many knowledgeable community members and they will show their annoyance through silence.

Steve has covered a fair bit of it. Some things to break down and assume

Run SUIM Change documents for the users to see what roles they have had. Sounds like you have done this
Check the SE93 definition of the trasaction or table TSTCA to see if there is a secondary authorisation check. I'm assuming when you the user can't execute the transaction they are getting a "you are not authorized to for the transaction" type message instead of getting their initial screen. If this is where they are failing then they are either missing the S_TCODE or the secondary auth check.
Run SUIM Change documents for roles for authorisation data to see if any roles had either the S_TCODE or another object deleted.
Cross reference the roles in Step 1 against Step 3 to see if you can pinpoint the change
You can then also check your transports to see if that's happened recently.

If still getting nowhere then you need to check

Were roles updated directly in production (if there is a change record on authorisations then it's a direct update.
Is the profile for the role corrupted (checking SU56 for user on the objects will show this if it can't load properly). If so, retransport role after generating the profile
Any chance there is an immediate authorisation check in the code on execution and the user no longer has that authorisation. If you can't search the code get a developer to assist you. If you find an object, repeat above steps with that object as well

Biggest bit comes down to understanding what the user has actually lost

Also, I can't remember of the top of my head if a call transaction (SE97 skips S_TCODE check) or similar will show as a user having executed it but in reality the user cannot execute it directly

Regards

Colleen