Audit tool which generates Users, Roles, Auth objects, and Values

Similar Messages

• Trying to understand "User/Role/Profile Synchronization" and Batch Analysis

  Hello,
  Im trying to understand what exactly and from which tables these jobs are copying to which tables in CC. I have a understanding that these jobs are moving also deleted roles from backend. This is causing unnecessary delay to long lasting job. 
  I would appreasite if some one could explain the logic behind these jobs. What the fullsync and incremental is reading ? What kind of changes are causing a role/user/profile  to be included to the full and incremental jobs?
  How the incremental analysis logic is built ?
  br Janne

  Janne,
  In my current implementation we are going for an offline risk analysis due to the heteregoneus system landscape of our client (several SAP and non SAP systems and several SAP systems under 4.6C). Eventhough within our approach we don't perfrom the backend synchronization (we use CC data extractor to pull data from backend into CC) hope the following info could hel you:
  The tables such jobs you mention access to, are all the SAP backend system tables related with users, roles, profiles, action and permissions. If you check the data mapping appendix of the "user and configuration guide for 5.2" you will see all the data that CC retrieves. For instance, in order to extract user info (UserID, FName, LName, Email, Phone, Email, Department) tables USR21, USR02, ADRP, ADR6 and ADCP must be accessed.
  In terms of CC tables:
  VIRSA_CC_SYSUSR >> UserIDs and Systems ID relationship
  VIRSA_CC_GENOBJ >> User, Role and Profile master data
  VIRSA_CC_GENACT >> User-action, role-action and profile-action data
  VIRSA_CC_GENPRM >> User-permission, role-permission and profile-permission
  VIRSA_CC_SAPOBJ >> Action-permission
  VIRSA_CC_OBJTEXT >> Objects descripcions (ACT, PRM, FLD, VAL, ORG)
  Hope this helps.
  Regards,
     Imanol

• How are objects and values passed in rmi?

  how are objects and values passed in rmi?

  In java there are two mwthods of passing aruguments and returning results.
  1) by value
  2) by reference.
  While invoking local methods, java passes primitive types by value and objects by reference.
  However while invoking remote methods both these data types are passed by value. Except for the objects being exported. Reason being two different JVM's are involved and thus memory addresses references of one are meaningles for the other. However "pass by value" for values of type object are implemented as deep copy.

• Manually added auth objects and Derived roles

  If there are manually added auth objects in the parent role do they come across to the derived roles?
  Also if you manually added auth objects into a derived role will they be overwritten by the parent role if you auto derive from the parent role?

  yes, any auth objects will come across to derived roles when you click 'generate derived roles'  from your parent role. basically its copying your parent role authorizations to derived roles  except org. level data( if you had maintained them thru 'org. maintainence' button and not adding in individual objects).
  yes. manually added auth objects in your derived roles will be overwritten by the parent role authorizations when you click 'generate derived roles'  from your parent role.
  if you just derived the role menu and din't copy the authorizations(generate derived roles) then there will not be any interlink between the parent and derived roles for authorizations.
  http://help.sap.com/erp2005_ehp_02/helpdata/en/1c/c38028816c11d396bc0000e82de14a/content.htm

• Single character wildcards ? PFCG, role, auth object

  Hi community,
  we want to implement a naming convention to control access to queries by query names, auth object S_RS_COMP,  RSZCOMPID. The naming convention is e.g.: Z_xx_ST_yyy.
  means:
  digits 1-2: Z:_
  digits 3-4: custom 2-digit identifier
  digits 5-8: "_ ST _" stands for standard query
  digits 9-30: custom name
  we need to distinguish the users by the 2-digit identifier. but some power users are authorized for all standard queries, so we want to use a single character wildcard for digits 3-4. we tried with +, $, %, &, # and <blank>, but nothing worked.
  also asterisk Z_ * STyyy does not work, it works like Z_ * then.
  any idea? many thanks and
  cheers,
  Phil
  Edited by: Phillip Lee on Jun 17, 2008 3:16 PM

  Hi,
  You are in BI 7.0? We also experienced smilar problem when we tried using wild character in 'Analysis authorization'. That wild character did not work. Finally we had to hard code without wild character.
  Regards
  S Meyyappan

• Table of Authority Object and value Per User

  Hi
  I have created a Z authority object, is there a table that can show me all the users that have this authority object and its value 
  Thanks Ami

  Hi,
  thanks for your answer. I know the parameter: FOR USER user. But i don't whant to check
  the authority, i want to know in my example which value has the user in fields ACTVT and STATM.
  Thanks.
  regards, Dieter

• How to create automatically users&roles in CUA and in chlid systems?

  Hi,
  i have a CUA on a 2 chlid R/3 systems (test and training) and 2 portal systems (test and training).
  i need to create a web application to create automatically users test and users training in CUA and see them in the R/3 chlid systems and at the same time to create autmatically a roles in CUA and R/3 chlid systems for those users (we sppose that the role is already stored in a table).
  are there any standard BAPI or Funcion modules that can do this job?
  is the role created automatically in CUA can be seen automaticall in the portal child system?
  any help?
  Thanks&Best regards

  You can use one of the various ways Java EE provides you, e.g. container managed authentication.
  It's also all in the Java EE tutorial: [http://java.sun.com/javaee/5/docs/tutorial/doc/bncas.html].
  You can configure it in the application server as well: [http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html].
  Here is an example how to use it in JSF: [http://ocpsoft.com/java/acegi-spring-security-jsf-login-page/].

• How to create automatically users&roles in CUA and child systems

  Hi,
  i have a CUA on a 2 chlid R/3 systems (test and training) and 2 portal systems (test and training).
  i need to create a web application to create automatically users test and users training in CUA and see them in the R/3 chlid systems and at the same time to create autmatically a roles in CUA and R/3 chlid systems for those users (we sppose that the role is already stored in a table).
  are there any standard BAPI or Funcion modules that can do this job?
  is the role created automatically in CUA can be seen automaticall in the portal child system?
  any help?
  Thanks&Best regards

  Thank you all. I got the solution.
  Regards
  Rajesh

• Setting which aliases users see in dock and desktop customization when log?

  Hi,
  In our school we have about 16 mac mini's running os x 10.4.11, which we have binded to our MS Windows server 2003 Active directory domain.
  Our student users log onto the macs with their active directory logon accounts no problem.
  What I am wondering is if it is possible to customize the dock and desktop so that when any user logs on with there network accounts they only see the applications on the dock or desktop that I want them to see.
  Any help much appreciated.
  James

  Hi Thanks for this , however it doesn't seem to set the default dock when a new student user logs on.
  I logged on as a local admin. I then customized the dock to display which shortcuts I desired. I then logged off and logged on as root.
  Logged on as root I copied the com.apple.dock.plist from the local admin account to /System/Library/User Template/English.lproj/Library/Preferences.
  I then rebooted the mac.
  Next I created a new student account in Active Directory and logged on as it in OSX but the dock just had all the applications it normally would.
  Could you or anyone advise me please?
  Many thanks
  James

• Auth Objects on ME23N

  Hi Guys,
  I'm trying to find the authorisation objects that control the GRIR information on the Display PO's tcode - ME23N.
  I have to seperate roles with ME23N tcode - one shows the GRIR info on the details section and the other not.
  Just trying to understand which auth object controls the display and which values to assign to have it displayed or not.
  Rgds,
  Thinus

  I use SU24 to see which auth objects is involved.
  The problem I have is that the amounts on the Purchase Order History tab is not showing when I assign one role, but when I assign the other, it does.
  I guess what I should do is do a comparison on the auth objects and values with the 2 ME23N's in both roles.
  This might give me an indication on the possible differences.
  Comments??

• Job role design - transaction role and auth object role

  Hi all, please kindly comment following job role design:
  (1) transaction role:
  Keep transactions in single job role to represent business processes in different application areas, e.g.MM: maintain PR, PO, OA.   CO: maintain cost center, internal order   HR: maintain org structure, personnel management.
  The single job role will only keep role menu, object S_TCODE and inactivated all other application related authorization objects.
  (2) authorization role
  Keep application component related authorzation objects except S_TCODE in single job role by different application area, e.g. Objects of MM_B, MM_E, MM_G in MM role. Objects of K_CCA, K_CSKS_SET in CO role.  Objects of HR in HR role.
  Then maintain org level of MM, CO, HR roles for different companies, e.g. Company A MM role, company A CO role, company A HR role, company B MM role.;....
  User will be assigned transaction role + auth object role.   For example, user of company A to perform MM and CO functions will be assigned
  with MM transaction role + company A MM role + company A CO role.
  Please let me know the pros and cons of above design.  Thanks.
  Regards,
  Donald
  * I can see the disadvantage of this design is during SAP upgrade (SU25), revised of authorization object will not reflect in authorization role

  Brent Van Dyck wrote:
  Keep in mind the project was for an HCM implementation where there's already hardly any connection between tcodes and authorization values so it may have made more sense in that context than it would in a classic SD/MM.
  That is correct - but it still exceeds "horrible" beyond imaginable boundaries if you try to split the fields of the objects into different roles and expect it to work or that there will be less roles.
  In the case of HCM and also BW the auths admin needs to know more about the data and organization than what classic ERP auths admins can get away with. That is why they take longer to migrate away from manual profiles and have a greater tendency to have manual authorizations inserted into roles - which could however also be achieved by maintaining fields proposed without values and at least proposing those (such as activity type fields) which are known.
  But splitting cube / characteristics / key figures  or infotype / personel group / auth code into different roles can only go wrong.
  Another mistake some "value role experts" sometimes make is that they don't want Su24 proposals in PFCG because they don't understand them. So what they do is that they clean out the SU24 tables completely... Well... the side affect of that is that all SU24 check indicators flagged as "no check" suddenly become alive in their system although there are mostly good reasons not to have the checks active.
  Cheers,
  Julius

• How can I limit/control the addition of auth. objects to security roles?

  Checking the authorization object S_USER_VAL it seemed that it grants the ability to limit the addition of authorization objects, but I tried using a test ID in sandbox along with a test role, removing the object, creating ranges in order to limit to a certaing type of auth. objects and didn't work. S_USER_AGR will give me access to limit which type of roles I can modify, but I'm looking to restrict the addition of specific security objects to security roles. If anyone knows the answer to this please share! Thanks in advance for your help!!!!
  Edited by: Armando Salas on Nov 29, 2011 7:41 PM

  Hi Armando,
  Try with auth.obj. S_USER_AUT. A suggestion. Search this objects with tcode SU24, for instance, for tcode PFCG and it gives a list with objects.
  I hope this helps you
  Regards
  Eduardo

• Report of User role details

  i have to report the role details of user...based on user given on selection screen.
    transactions assigned to user and object in that role and fileds in the object and values in fields....
  user | Transaction code |  Object |   Field  |    actual field values |  assigned field values |
  please tell me in which table we can this data...........

  Hi,
  There are lots of tables connected to roles. These were usefull for me:
  AGR_DEFINE - Role definition
  AGR_PROF  - Profile name for role
  AGR_USERS - assignment of roles to users    "<- this one you need
  AGR_1251  - roles with authorization objects and value (as seen in su01 -> roles)
  AGR_1016  - Name of the activity group profile
  USR10     - User master authorization profiles
  UST12     - user master authorizations
  USOBT     - Relation transaction > authorization object; which objects are checked
  Regards
  Marcin

• Urgent: User Roles assigned to Sales Orgs and document types

  Dear Guru's :
  I have job user roles one side and sales orgs on otherside. We are trying to find out which sales orgs are using what sales document types.
  All i am trying to achieve is connect those two and make a report. it needs to be done by SE16
  First step is :
  PFCG- Enter Role u2013Click glasses-Authorizations-Display Authorization data
  you need to identify the authorization objects for each T-code and then assign the appropriate values for each authorization object. these authorization objects assigned to a Role and then, allowed T-codes are assigned to Role and
  My Basis Person to Create one AUTHORIZATION OBJECT      V_VBAK_AAT  Sales Document: Authorization for Sales Document Types  and assign your required transaction codes to that authorization and assign them to the users.
  User IDs which can use this Role (set of authorizations) can be assigned to this role.
  Second step is achieved through SE16 ;
  Execute this two table :
  There is no one-shot for this However there is a way out for this outside SAP.
  You can download AGR_1251 and AGR_1252 for the selected roles and use MS Excel or Access to do this compare for you. Its a bit more tricky than said, however once you get a hang of it, I think its a good way of reducing the efforts of making use of individual compare reports.
  Any one knows how to do this i am kind of lost here.  Could you help me to organize this process / steps.
  Full points will be given to who helps me answer my question.
  Thank you in advance.

  Dear Raghu and all:
  I am very much thankful to you for your answer Raghu. This is exactley what i was looking for. Could you throw more light on this topic. Or do you know where can i get more info.or  more tcodes related to this topic. I am using SUIM and PFCG. I dont know much about this transactions. Could you please help me to understand this topic.
  I have Authorization object through which i found out which sales documents are attached to users. I dont know next step in this process. Or does any one know any thing about this subject.  Any help will be grateful.
  Van bills.

• How get report of all user assigned tcode & object activety wise

  Dear All,
  We need to get report of user assign tcode & assign tcode wise activety.
  Regards
  jitendra Singh

  Hi Colleen,
  but we are checked all below table related to authorization & user
  1. USR02 --> User Name
  2. AGR_USERS --> User Name & Role Name
  3. AGR_TCODES --> Role Name & Transaction Code
  4. AGR_PROF --> Role Name & Profile Name
  TSTCA
  Also,
  5. AGR_DEFINE --> For more detail role information
  USR01 contains the runtime data of the user master records
  USR02 is the table containing logon information such as the password
  USR03 includes the users' address information
  USR04 contains users' authorizations
  USR05 is the users' parameter ID table
  USR09 contains user menus
  USR10 is the table for user authorization profiles
  USR11 contains the descriptive texts for profiles
  USR12 is the user master authorization values table
  USR13 contains the descriptive short texts for authorizations
  USR14 contains the logon language versions per user
  USR30 includes additional information for user menus
  USH02, USH04, USH10 and USH12 contains Users and profile and
  authorization change history data.
  Tables related with authorizations objects and authorization fields are as follows:
  TOBJ is the authorization objects table containing the authorization
  fields for each.
  TACT contains the list of standard activities authorization fields
  in the system.
  TACTZ is the table which defines the relationship between the
  authorization objects and the activities in those objects containing
  the Activity authorization field.
  TSTC is the transaction code table where authorization objects
  and values can be defined.
  but not getting any fruit full result.
  we are try to create SQVI query but not find the corresponding table.
  created user against role & role against Tcode  but not getting tcode against activity file value for particular user
  please help me for the same