Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

How to find right authorisations to be deleted

0 Kudos

Hello.

I was asked by the customer to delete unnecessary authorisations assigned to a specific role. I know generally how to find required authorisations(su53) but no idea about the deletion.

I tested it in Tx: SUIM -> Transactions -> Executable for for Role -> Type a role and execute.

In some transactions especially standard ones, I could see the result of related authorisation objects and values. However, on the other hand, there are a lot of transactions show empty especially Z* t-codes.

Should I redesign the role from the scratch? Is there any other way to shorten the time?

P.S. I've also considered to control the accessible t-codes in S_TCODE but someone already put the value 'ALL' in there so it's not easy to review entire transactions maintained in there as well.

Best regards,

Seong Do Lee

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Hello,

I would not even attempt to remediate a role that had been given full authorization for S_TCODE. If you are fortunate enough to have a tool such as the Action Usage report in GRC 10.x, that could help you rebuild the role based on the tcodes that had been used. Otherwise you might have to rebuild it based on process documentation.

If the Z tcodes have no authorizations associated with them, you might want to counsel the clients on the importance of doing SU24 maintenance on their custom tcodes.  You could try doing traces on them to see what authorizations are needed.

Good luck.

Gretchen

3 REPLIES 3

Former Member
0 Kudos

Hello,

I would not even attempt to remediate a role that had been given full authorization for S_TCODE. If you are fortunate enough to have a tool such as the Action Usage report in GRC 10.x, that could help you rebuild the role based on the tcodes that had been used. Otherwise you might have to rebuild it based on process documentation.

If the Z tcodes have no authorizations associated with them, you might want to counsel the clients on the importance of doing SU24 maintenance on their custom tcodes.  You could try doing traces on them to see what authorizations are needed.

Good luck.

Gretchen

0 Kudos

Thanks for your guidance.

Colleen
Advisor
Advisor
0 Kudos

Hi Seong

A couple of things to consider here:

  1. See how many users have the role assigned and what the intended purpose of the role is. If a small sample then cleaning up might be easier to use Gretchen's tip and look at action usage (stad, stauthtrace/st01 trace or sm19/sm20 security audit log on them). The role name will add better context to understand what the role should have as well.
  2. Have a look at change documents on role build in development to see when the manual S_TCODE values were added. S_TCODE via the role menu will appear as Standard. If the changes were added after the initial build look for the associated transport. You might find change request information in the description or support documentation (if such discipline is at your client site) to track why the access as added. You might discover the actual requirement to remove the uncessary access
  3. Accept if you make changes that the user will probably complain as the additional access has probably been masking other access issues. Also, if S_TCODE is a mess than I bet a heap of other authorisations are in changed or manual status (two statuses to avoid)
  4. Check the change documents to see who built the role in the first place. If they are still on the project request to have their security access removed until they have learned how to build a role properly.

Regards

Colleen