06-25-2007 2:13 PM
Hi there,
I need help from Security Specialists to find out who deleted user account in past in a R/3 46C system.
I have already tried below methods and checked previous posts in this forum but no use -
1. SUIM
2. SM20
3. SM21
4. Report RSTBHIST
5. ST03
6. STAT
7. SECR
8. SM19
Thanks in advance.
06-25-2007 2:19 PM
Amol,
SUIM change documents reports is the way to go. You can also view the change document tables USH* (USH02) directly via SE16/17.
Cheers,
Ben
06-25-2007 2:19 PM
Amol,
SUIM change documents reports is the way to go. You can also view the change document tables USH* (USH02) directly via SE16/17.
Cheers,
Ben
06-25-2007 2:25 PM
Benjamin,
Thanks.
Table USH02 provides information about change in Logon data.
Would you please clarify how can I find out who deleted particular user account?
Thanks in advance.
06-25-2007 2:43 PM
Amol,
Look at table USH04 field PROFS. It will have the letter 'D' for when the user is deleted. It easiest to view via SE16N.
Cheers,
Ben
06-25-2007 2:48 PM
We dont have SE16N yet.
It gives error for field PROFS as below -
ABAP Dictionary type is not allowed for screen element
Message no. 37 048
Diagnosis
The format of the ABAP Dictionary field is only for use within the ABAP program and cannot be used in the Screen Painter.
Procedure
The field cannot be used in screens. If you want to output the information in the field or assign a value to the field from the screen, you must use an intermediate field with an appropriate format.
06-25-2007 2:51 PM
06-25-2007 3:11 PM
Thanks Ben,
I tried and got output as below -
Clien User Modificati Modifica Changed by PROFS
900 304902 03.02.2007 15:11:23 107901 D
900 304902 15.05.2007 13:39:42 AMOL C ZRFCCPIC__
900 304902 08.06.2007 12:28:56 AMOL M FSTSTKCOUN ZRFCCPIC__
Which means user was last deleted on 03/02 by 107901 and then I recreated it on 15/05 and maintained on 08/06.
But again today I found this user missing and thats the reason I 'm desparately looking for delete log.
I didnt find latest deletion log anywhere.
06-25-2007 3:13 PM
I created one test user and deleted it immediately. Its log in SE17 -
Clien User Modificati Modifica Changed by PROFS
900 DELETETEST 25.06.2007 11:21:30 AMOL C
900 DELETETEST 25.06.2007 11:21:39 AMOL D
06-25-2007 3:22 PM
06-25-2007 3:29 PM
No....
I received user complain that he cannot login and found this user missing today.
Tried with SUIM btu no log for deletion after my latest creation.
Thats the reason looking for this log everywhere in the system.
It should show user deleted on or after 08/06.
06-25-2007 3:46 PM
Amol,
You can see from your test that the table USH04 shows the created and deleted user entries and that the system is writing them correctly.
Clien User Modificati Modifica Changed by PROFS
900 DELETETEST 25.06.2007 11:21:30 AMOL <b>C</b>
900 DELETETEST 25.06.2007 11:21:39 AMOL <b>D</b>
Could the user have been deleted via a custom program or though transport (rare)?
Cheers,
Ben
06-25-2007 4:09 PM
Probably.... I 've to check for our Z programs if they provide user delete function.
Anyways, your help is much appreciated Ben. Thanks.
regards
Amol