Solved: How to find who deleted user account

Former Member · ‎06-25-2007

Hi there,

I need help from Security Specialists to find out who deleted user account in past in a R/3 46C system.

I have already tried below methods and checked previous posts in this forum but no use -

1. SUIM

2. SM20

3. SM21

4. Report RSTBHIST

5. ST03

6. STAT

7. SECR

8. SM19

Thanks in advance.

Former Member · ‎06-25-2007

Amol,

SUIM change documents reports is the way to go. You can also view the change document tables USH* (USH02) directly via SE16/17.

Cheers,

Ben

Former Member · ‎06-25-2007

Amol,

SUIM change documents reports is the way to go. You can also view the change document tables USH* (USH02) directly via SE16/17.

Cheers,

Ben

Former Member · ‎06-25-2007

Benjamin,

Thanks.

Table USH02 provides information about change in Logon data.

Would you please clarify how can I find out who deleted particular user account?

Thanks in advance.

Former Member · ‎06-25-2007

Amol,

Look at table USH04 field PROFS. It will have the letter 'D' for when the user is deleted. It easiest to view via SE16N.

Cheers,

Ben

Former Member · ‎06-25-2007

We dont have SE16N yet.

It gives error for field PROFS as below -

ABAP Dictionary type is not allowed for screen element

Message no. 37 048

Diagnosis

The format of the ABAP Dictionary field is only for use within the ABAP program and cannot be used in the Screen Painter.

Procedure

The field cannot be used in screens. If you want to output the information in the field or assign a value to the field from the screen, you must use an intermediate field with an appropriate format.

Former Member · ‎06-25-2007

Try SE17 it's not as nice, but you should be able to see it.

Cheers,

Ben

Former Member · ‎06-25-2007

Thanks Ben,

I tried and got output as below -

Clien User Modificati Modifica Changed by PROFS

900 304902 03.02.2007 15:11:23 107901 D

900 304902 15.05.2007 13:39:42 AMOL C ZRFCCPIC__

900 304902 08.06.2007 12:28:56 AMOL M FSTSTKCOUN ZRFCCPIC__

Which means user was last deleted on 03/02 by 107901 and then I recreated it on 15/05 and maintained on 08/06.

But again today I found this user missing and thats the reason I 'm desparately looking for delete log.

I didnt find latest deletion log anywhere.

Former Member · ‎06-25-2007

I created one test user and deleted it immediately. Its log in SE17 -

Clien User Modificati Modifica Changed by PROFS

900 DELETETEST 25.06.2007 11:21:30 AMOL C

900 DELETETEST 25.06.2007 11:21:39 AMOL D

Former Member · ‎06-25-2007

You got it...

Cheers,

Ben

Former Member · ‎06-25-2007

No....

I received user complain that he cannot login and found this user missing today.

Tried with SUIM btu no log for deletion after my latest creation.

Thats the reason looking for this log everywhere in the system.

It should show user deleted on or after 08/06.

Former Member · ‎06-25-2007

Amol,

You can see from your test that the table USH04 shows the created and deleted user entries and that the system is writing them correctly.

Clien User Modificati Modifica Changed by PROFS

900 DELETETEST 25.06.2007 11:21:30 AMOL <b>C</b>

900 DELETETEST 25.06.2007 11:21:39 AMOL <b>D</b>

Could the user have been deleted via a custom program or though transport (rare)?

Cheers,

Ben

Former Member · ‎06-25-2007

Probably.... I 've to check for our Z programs if they provide user delete function.

Anyways, your help is much appreciated Ben. Thanks.

regards

Amol