10-22-2007 6:54 PM
Hi Everyone,
I am doing a segregation of duties review and need to extract user authorization information from SAP. Ultimately, I would like to have a single view where each record or records will contain UserID, role_name, profile_name, authorization_objects and activity value
I know that information on roles, profiles, authorizations and allowable activities within authorization fields resides in various tables and don't expect to have an issue linking the data in an external application. But as of now I have only been able to find the following info:
List of users, with roles and profiles assigned
List of all transactions, associated auth objects and allowable activities (TSTCA)
However I have difficulty finding is the tables holding:
- transactions assigned to roles/profiles
- auth objects part of the user's profiles and the associated activity values</b>
Does any one know where this info is.
Thanks in advance!
Martin
10-23-2007 10:32 AM
Hi Martin,
transactions assigned to roles : AGR_1251 with object S_TCODE
transactions assigned to profiles : UST10S with object S_TCODE + UST12 with auth. of UST10S and Object S_TCODE
auth objects part of the user's profiles = Profile - Objects - Authorities: UST10S
auth objects and associated activity values = Objects - Authorities Field From/To : UST12
10-22-2007 9:49 PM
Hi Martin,
Depending on how you want to do this depends on the tables you get the info from.
The most straightforward way is:
Tx to roles: AGR_1251 filtered on object S_TCODE. You could use AGR_TCODES but this only has menu transactions rather than those in S_TCODE
Auth objects & values to roles: AGR_1251 (and can use AGR_USERS to ID the roles per user).
AGR_1251 is at the role level which is all well and good, however auth data resides within the profiles and getting that data is a fair bit harder so you are looking at something like interrogating USR04, USR10 and USR12 to get all user-auth-value data.
10-23-2007 10:32 AM
Hi Martin,
transactions assigned to roles : AGR_1251 with object S_TCODE
transactions assigned to profiles : UST10S with object S_TCODE + UST12 with auth. of UST10S and Object S_TCODE
auth objects part of the user's profiles = Profile - Objects - Authorities: UST10S
auth objects and associated activity values = Objects - Authorities Field From/To : UST12
10-24-2007 9:04 AM
Hi Alex and Wolfrad,
Thanks a million for taking the time to answer my original questions. The information was very useful and it helped me progress in gathering the information I needed. At the moment on my report I have the following information that appears in this order:
<b>User ID- Full Name-User Group-Profile-User Master Maintenance Authorization-Profile Name- Object-Authorization Field-Authorization Value1-Authorization Value2</b>
This makes my report 99% complete. The only outstanding information I need is the Role Name that each profile is part of. Would you happen to know in what table I will be able to find this info?
Best,
Martin
10-24-2007 9:55 AM
Hi Martin,
the name of a role : AGR_TEXTS with SPRAS = sy-langu and LINE = '00000'
the name of a profil: USR11
Thanks for points
Wolfrad
10-24-2007 9:59 AM
10-24-2007 6:11 PM
Hi Guys,
Thanks again for the input. I have one last question. I've reached the very end of the authorization data extraction and need to pull the names(text) of the authorization fields. Actually I am not sure even if this data exists in the way I imagine it. I checked table AUTHX, but there I only have the field name/code, the data element and the corresponding table where the field data comes from. If you know of it please let me know, and if not I already feel SUPER grateful for the assistance you provided me with so far.
Best,
Martin
10-24-2007 7:07 PM
10-25-2007 10:29 AM
Hi Martin,
you can use function module AUTH_FIELD_GET_INFO, see Program SAPLSUSA FORM LOAD_INTFLD. Here is a little report to check whether it works:
REPORT AUTH_FIELD_GET_INFO.
* get names(text) of the authorization fields
TABLES: dfies.
PARAMETERS: p_sfield LIKE authx-fieldname.
DATA: field LIKE tobj-fiel1.
START-OF-SELECTION.
field = p_sfield.
CALL FUNCTION 'AUTH_FIELD_GET_INFO'
EXPORTING
fieldname = field
langu = sy-langu
IMPORTING
text = dfies-fieldtext.
WRITE : / field, dfies-fieldtext.
10-25-2007 10:55 AM
Good morning everyone,
I looked in table DD04V and a lot of the field names were there. Some of them were not listed, such as, ACTVT, TCD, CEERKRS, CFUNCNAME and others but I will try to work without them. I just wanted to give you an idea as to what is my approach for the SoD analysis and why I have bypassed the built in SAP tools.
Once I extracted all the authorization and user data, I pulled it into ACL for further analysis.
For a total of 40 users, the final set is close to 93 000 records. Some of the tests that I can run in ACL are: filter out all roles that have display in their name, then quickly run classify function for all ACTVT fileds that have values other than 3. Also I can filter all BUKRS fields and can verify that the users are assigned company codes that belong to their organization. To me this approach seems logical, but this is the first time I am doing this so I am still developing the process - if you guys think that something is off, please let me know. I don't know if the tools that SAP provides offer this functionality. I am an auditor and what I have found in AIS so far, cannot be really used for this type of analytics.
Wolfrad, thank you very much for providing me with the code, but I have no authorization for creating anything on the SAP system - I have read only access
Thanks again for all your help!