Authorization error report

Former Member · ‎03-27-2008

I want to see authorization unsuccessful error report of 100 users from last 15 days.Is there any program need to executre or any process to get this?

Former Member · ‎03-27-2008

This info is not logged in SAP as standard.

You can use USR07 to view the last auth failure for a load of users but the data isn't retained for long.

Bernhard_SAP · ‎03-27-2008

Hi

pls be careful, USR07 is filled only, if the user executes SU53 after his auth.-error..... and only this entry is kept until the user executes SU53 again. So the content of usr07 may be incomplete and also outdated....

b.rgds, Bernhard

Former Member · ‎03-27-2008

That's a good point Bernhard. It does have it's limitations. I have questions over the usefulness of such data too.

Former Member · ‎03-27-2008

Hi Bernhard,

That was really useful information.

Thank you

Abhishek

Former Member · ‎03-27-2008

Then there is NO solution for this?

Former Member · ‎03-27-2008

Yes there is a solution, but it has big caveats which Bernhard has pointed out.

More importantly, the information would not be very useful because of the way that SAP evaluates authorisation checks.

If you want to have this info then you will need a system trace activated 24/7 and accept the potential performance and filespace requirements.

Former Member · ‎03-28-2008

> venkat sap wrote:

> Then there is NO solution for this?

I can think of a few solutions, but USR07 would not be one of them. There is also an old post about this "last failed check" and "reason codes for failed checks" which suggested that a development request to enhance them might be on the cards. I eventually decided not to open the development request.

A simple solution:

To report on failed authority-checks for attempts to start transactions, the failed attempts to call RFC's and failed attempts to start reports, you can use the Security Audit Log (tcode SM20 <= use the search and the FAQ) for objects S_TCODE, S_RFC and S_PROGRAM. There might be false-positives for BDC programs... see the threads on function module AUTHORITY_CHECK_TCODE.

A more complex solution:

Intended for recording detailed information about authorization checks during the development of applications (much more detailed than USR07, SU53 and St01), there are an obscure set of tables which contain information about (failed) authority-checks. They are not intended really for production systems and there is a SAP note which explains how to use them and warns about consequences for rapid growth of the tables, particularly in large systems with many users... I could not find any infos on the search terms here at SDN, but if you are interested, I can dig in my box-of-tricks to see whether I can find the infos again. I dont think that it was originally intended for production systems though, much like ST01, debugging, etc, etc...

If your authorization concept is confident of the application authorizations which the users have, then the simple solution would, in my opinion, be sufficient for monitoring purposes, which can then be drilled down further once abnormalities are found using a number of tools with forensic capabilities such as SM20, ST03N, STAD (if you are fast enough), F190, etc, etc...

Cheers,

Julius