CUA  :  SU01 role change

Similar Messages

• CUA: User & Role Master Data Change Document

  Hi Team,
  I would like to know is there any way to find out CUA user master & role assignment change document data from CUA Central System & All Targets Systems.
  I am looking for user friendly tool similar to SUIM.
  I have looked into other methods of CUA change document tips and tools but it is not so fruitful to convenes my Audit team.
  FYI.  System Users (CUA_ADMIN) is not the user which i want to see in my change document window, i want to know actual security consultant ids within that.
  Kindly get back to me.
  Appreciate, for your response.
  Regards,
  Asif

  HI Matt:  Your understanding is correct for CUA Tier2 Setup.
  FYI.
  We have successfully configured trusted relationships between SAP Systems with the help of my BASIS & UNIX team.
  To do this:  We have performed following actions:
  u2022     Trusted System trust relationships for the RFC Connection has been maintained from the Central to the Child System and from All Child to Central System via transaction code SMT1.
  u2022     UNIX Database level trusted relationship entries has also been added with the help of UNIX Team
  u2022     RFC Destinations has been reconfigured with Current user option (SM59).
  u2022     For Security Administrator special authorizations has been provided in order to get trusted relationship RFC authorizations. 
  Note:
  I have added Full Authorizations under these new special objects S_RFC, S_ICF, S_RFCACL, & S_RFCADM  and same was assigned to all our Security Administrators.  Remote Logon & Trusted Connectivity is working fine for all of us.
  We are 4 Security Administrator here, And for All of us this new concept of Trusted RFC for CUA is working fine.
  New Authorizations updated on both CUA and the Child System.
  Our ids are replicating as a log in the last change by field of SU01 and change document of SUIM. Happy to see this. 
  But unfortunately there are strange ABAP dumps are started generating from CUA (SolMan) System soon after this Implementation.
  When we look into ST22, runtime errors CALL_FUNCTION_SINGLE_LOGIN_REJ &  CALL_FUNCTION_SYSCALL_ONLY are keep generating.
  Following are the example of dump logs and all the dump are with similar fashion but with different user-ids within that.:
  Short text:  No authorization to logon as trusted system (Trusted RC=0).
  What happened?  : Error in the ABAP Application Program The current ABAP program "SAPMSSY1" had to be terminated because it has come across a statement that unfortunately cannot be executed.
  Error analysis:  An RFC call (Remote Function Call) was sent with the invalid user ID "(End user user-ids)".  Or the calling system is not registered as trusted system in the target system.
  How to correct the error: The error code of the trusted system was 0.
  Meaning: 0    Correct logon as trusted system mode
  1 No trusted system entry for the calling system "BIP " (like other child System) or the  security key entry for the system "BIP " is invalid
  2 User "111552 " (Type of End user) does not have RFC authorization (authorization object
       (S_RFCACL) for user "End User id " witl client 100.
  3    The timestamp of the logon data is invalid
  The error code of the SAP logon procedure was 6. (6    No external user check)
  My Point: I think All these End users are trying to connect CUA Trusted RFC connections through individual different child Systems..
  Why they need to Connect to CUA and for what reason they need special Trusted RFCu2019s authorization???
  Pls help me to fix this problem.
  I have gone through the old SDN posts related to the same topic and few SAP notes and help link but it wont help.
  Note 1579570 - Problem with trust relationship after using HMAC
  Note 128447 - Trusted/trusting systems
  Note 131387 - No authorization to log on as a trusted system
  Note 986707 - No authorization to log on as a trusted system (RC=1)
  Few More SAP Notes: 986707, 333441, 1151790 & 128447
  http://help.sap.com/saphelp_nw04/helpdata/en/8b/0010519daef443ab06d38d7ade26f4/frameset.htm
  We donu2019t see any logs under SCUL, BD87 & ST01.
  Please anyone can assist me on this.
  Regards,
  Asif

• SUIM - Track Role Changes Please Help

  Dear Friends,
  I want to know is there anyway or any report that track the changes done to a role for last 3 months - addition/deletion of tcode and Auth. Object Values Changes and when it was changed. I used SUIM (All Change Documents (Technical View). All I want to know is Any report or Program that tells me Role changes happened in last 2 months (for examples 3 tcodes were added and activity values have changed in some objects).
  It gave the info like Role Name, Date, Time, Changes by, TCode, Change ID, Table, Short Text, Table Key. I Think Table key is having some information. I am not able to understand table key 500xxxx.L325P                    TYREEWL     2006011899991231
  This information is not useful as it does not give any track changes. SUIM is good to find out what changes were made to a User, BUT when it comes to Track Role Changes, it does NOT give much information. We can also do some table search on AGR and UST* tables to get this information, but it is tedious to go to so Many tables and find out.
  Your help is greatly appreciated. If this is not a right forum, it would of great help if you can forward this to the right forum.
  Thanks
  Kumar
  Below is what i found out.
  xxxx.L325P     03/06/2006     18:00:18     FF_SECURITY     SU01     D     AGR_USERS     Assignment of roles to users     500xxxx.L325P                    TYREEWL     2006011899991231
  xxxx.L325P     03/06/2006     18:00:18     FF_SECURITY     SU01     D     AGR_USERS     Assignment of roles to users     500xxxx.L325P                    TYREEWL     2006012499991231
  xxxx.L325P     03/06/2006     18:00:18     FF_SECURITY     SU01     I     AGR_USERS     Assignment of roles to users     500xxxx.L325P                    TYREEWL     2006030699991231
  xxxx.L325P     03/06/2006     18:00:19     FF_SECURITY     SU01     D     AGR_USERS     Assignment of roles to users     500xxxx.L325P                    MASTERD     2006011899991231
  xxxx.L325P     03/06/2006     18:00:19     FF_SECURITY     SU01     D     AGR_USERS     Assignment of roles to users     500xxxx.L325P                    MASTERD     2006012499991231
  xxxx.L325P     03/06/2006     18:00:19     FF_SECURITY     SU01     I     AGR_USERS     Assignment of roles to users     500xxxx.L325P                    MASTERD     2006030699991231

  No it does not give any valuable information. for example, if the role was changed 17 times in last 2 months - added 4 new tcodes and deleted 7 tcodes and changes some activity values. when i did search on SUIM change documents, it gives me Table Key and some fields. I appreciate if you take a look at this issue. it gives me when it was changed, by whom and and also thru which tcode it was changed. But Never gave what Actually happened to the role in the last 1 month.
  SUIM is good for user maintenance and tells us the basic role information. any ideas are suggested.
  thanks
  kumar

• Portal favorites doesn't work after role change

  Dear all,
  we encounter the following problem in our EP:
  We have an WAD-Template stored in a folder. If a user is assigned to a specific portal role, he can see and execute the report. While executing he is allowed to store the report in his personal portal favorites.
  Last week we joined three old portal roles (names: OLD_A, OLD_B and OLD_C) to a new one NEW_A containing all reports of OLD_A, OLD_B and OLD_C. After that we assigned the new role NEW_A to all users formerly assigned to at least one of OLD_A, OLD_B or OLD_C. In addition we unassigned the users from the old roles.
  As a consequence the users now see all the reports of the old roles in their portal menu (as they are stored now in NEW_A) BUT the old favorites saved before the role change could not be opened anymore. The following error message appears:
  "Page not found or not available"
  We found out so far, that the favorite stores the combination of role and iview (in this case OLD_A and the iview-name). If the role changes the pcd-link is different.
  Does anyone know this behaviour? How can we change the access pcd-link in the content management manually or by script/program?
  Any help is appreciated.
  Best regards,
  Volker Schmitt

  Yes I saw this thread too. However, I think viveknidhi solution is pointless for us since we can not perform this operation manualy for each favorite...
  For the moment, based on what I red on forums and sap documentations, there is no workaround. Portal favorites are hardcoded pcd urls to the navigation node. If we modify our roles we will loose related favorites since the navigation node will change.
  I hope you will find a solution to move forward.
  Regards,
  Alexis M.

• Which all TABLES are afftected when we CANCEL a ROLE change in PCFG

  Hi,
      When we try to change any ROLE using PCFG transaction,which all Function Modules are called and what all tables are affected.
  Also please let me know , while cancelling the changes made on that ROLE which all Function Modules and Tables are affected

  Hello Avinash,
  The Tables that get affected by changes can be traced in ST05.
  Go to ST05. Activate Trace.
  Perfrom the changes in PFCG, Save the changes.
  Now got to ST05, Deactivate the trace and Display the Trace.
  You can check all the efected tables and so on in the log.
  Genearlly all Role changes are saved in AGR* tables...
  Hopefully this info shd help.
  br,
  Sri
  Award points for helpful answers

• Report to view composite  and master role changes

  Dear All,
  i would like to know list of master role and composite role changes, i searched in SUIM for change document for roles,which gives all role changes, which is not solving the pupose.my requirement is past perticular period any composite role got changed and new tcode got added to master role

  ramesh,
  try SUIM-change document -> For roles  / or reports
  Role:    RSSCD100_PFCG
  for  User         (RSUSR100)
    A profile    ( RSUSR101)
    An authorization (RSUSR102)
  A role assignment (RSSCD100_PFCG)
  just wanted to let you know that SAP meanwhile developed a new report RSUSR100N. I think it's only available with a certain SP level (at least in ECC 5.0).
  Thanks
  sri

• How to track role change

  We have several groups making changes to roles in our portal. Is there a way to track roles changes and where can I find this information.
  We have several plants and portal admins at each site making changes to "shared roles". I need to track these changes.
  Thanks
  Mikie

  How do you transport the roles and groups?
  You should have a development and a test portal.
  You should also look into the Netweaver Developer Infrastructure.
  This should give you some help on tracking the changes!
  You should also set up your authorizations for your admins so that they cannot change the "shared roles".
  Check the portal security guide at:
  http://help.sap.com/saphelp_nw04/helpdata/en/5c/429f00a14aa54195b1c63ae1512d10/frameset.htm
  Regards
  Fredrik

• Advice needed: what does your company log for SAP security role changes?

  My client has a situation where for many years, they never logged changes to SAP security roles.  By that I mean, they never logged even basic details, like who requested a change, tested it, approved it, and what changed!!  Sadly their ticketing system is terrible, completely free-form text and not even searchable. 
  Does anyone here use Word docs, Excel sheets, or some other way to capture security role change details?   What details do you capture?  What about Projects, that involve dozens of changes and testing over several months?
  I plan to recommend, at least, they need to use a unique# (a ticket#, or whatever) for every change and update the same in PFCG role desc tab, plus in CTS description of transports... but what about other details, since they have a bad ticketing system?  I spoke with internal audit and change Mgmnt "manager" about it, and they are clueless and will not make recommendations.  It's really weird but they will get into big trouble eventually without any logs for security changes!

  Does anyone here use Word docs, Excel sheets, or some other way to capture security role change details? What details do you capture? What about Projects, that involve dozens of changes and testing over several months?
  I have questions:
  a) Do you want to make things straight
  b) Do you want to implement a versioning mechanism
  c) You cannot implement anything technical, but you`re asking about best "paper" practise?
  The mentioned scenarios can be well maintained if you use SAP GRC Solutions 10 (Business Role Management)
  Task Based, Approvals, Risk Analysis, SOD and role generation and maintenance in a structured way (Business Role Management). Workflow based, staged process with approvals.
  PFCG transaction usage will be curtailed to minimum if implemented fully.
  Do we really want to do things "outside" PFCG?
  @all:
  a) do you guys use custom approval workflows for roles?
  b) how tight your processes are? how much paperwork, workflow, tickets, requests and incidents you have to go through to change a role?
  c) who is a friend of GRC here, raise your hand
  Cheers Otto
  p.s.: very interesting discussion, I would like to learn something here about how it works out there in the wild

• Advise on Role Change of Functional Consultant to IS U Consultant

  Hi,
  I'm currently working as SD/MM Consultant with cross functional modules as team lead. I want an advise from the experts that can i change my current role to IS U consultant. What will be the pros and conss. Suggest me for which part of IS U will be suitable for me.
  Request you post your suggestions.
  Regards
  Sashikanth

  Hi Siva,
  Thanks for your reply. Can you give me some more inputs like a)current opportunities across the globe, b)certification details, c) future assumptions about IS U market, d) any trainings institutes etc.
  I'm currently working for CMMI Level5 company in India.
  I hope this will give more insight about the decision for role change.
  Thanks
  Sashikanth

• Trail of role changes

  Hi All,
  Is there any way for gettting information on changes to user association with roles. I would like to build trail on these changes.

  Jeremy,
  I know V12 will user NW UME.
  But this is the requirement currently i have.
  I could find xml file which will store list of users associated with particular role, but I need to configure an event for role changes so that I could read these xml file for changes.
  Also, when I look in to xml file I could see last modified date in the encoded form.
  Is it possible to get these info programmatically???

• Role change re-authorisation

  Hi
  We are looking for following solution using ORM(Oracle Role Manager)
  Can anybody help us on how to achieve the following requirement,
  Role change re-authorisation
  Ability to add additional authorisation or authentication requirements to specific roles
  e.g. if a user wish to change role within an application which is of higher privilege then prompt for authorisation.
  Any help will be highly apprecaited.
  Regards

  Hi,
  Using T-Code SUIM you can find the information regarding roles.
  Change Documents
  ->For Roles
  Role Name *
  From date Enter the date from which you want to see the changes
  In change Documents
  Choose
  . Create and Delete Roles
  I hope you are looking for this.
  Regards,
  Archna

• Bug: Role changes show up as blank messages

  When anyone in a call (at least P2P calls), change roles,  including role changes that normally don't show up publically on Desktop Skype,  the android version shows an empty chat message from the user that is changing roles.   I have several people reproducing this.

  Well its back to using Outlook for professional and Mac mail for leisure purposes untill this problem is resolved.
  I would still appreciate a response if and when there is a solution to this problem as I still want to revert to Mac mail.
  Regards.

• SU01 role add versus role change inside customer exit Z_USERS_TRANSFER

  We're using customer exit Z_USERS_TRANSFER (reference note 367660) to do some custom code after a SU01 save.  The "changed" roles are transferred through an internal table and I'm also querying the table AGR_USERS to get the userid's "current" roles into an internal table.  I also know the SU01 mode (create, change or delete).
  The problem is being able to differentiate between an added role or a changed role while in SU01 change mode.  For example, if I add role ABC the changed_role_itab has role ABC and the current_role_itab has role ABC.  If I then change role ABC to have a valid from date of 5/19/2007, both of the internal tables will have role ABC with a valid from date of 5/19/2007.
  I thought about looking at change documents but that may be too complicated.  Any suggestions?
  Thanks,
  Brad

  Hi Brad,
  I have a workaround for you. In the user exit do as following...
  Delcare a internal table withe structure AGR_DEFINE
  example : data: t_agr_define type agr_define occurs 0 with header line.
  now read the role information from the database table ( This would have old values since you have not changed yet inSU01).
  select * from agr_fine into t_agr_define where agr_name = <rolename.
  Now you  will have old value to be compared with another internal table current_role_itab.
  Reward points if its helpful.

• CUA and role assignment

  Hi forum,
  I have a CUA configured where I want the profile and the role assignment to be distributed global from the central system. I can create new roles with PFCG assign, users there, but I don’t see these new roles in the user details in SU01.
  What am I doing wrong?
  Thank you!

  Hi Chris,
  Seems pretty simple to me. Since it is a new role you need to do a text comparision.
  In the central system of CUA execute the report SUSR_ZBV_GET_RECEIVER_PROFILES in SE38 transaction.
  In receiving systems give all the systems that are part of CUA including the central system (in this particular case only central system can be input since the new role is present in central system) Now execute it and then do the role assignment wither through SU01 or PFCG once again. Check once more.
  After every new role creation this report needs to be executed. This is what is known as Text comparison of roles which can also be done in SU01. Check for the pushbutton for text comparision under tabsrtip Roles within SU01.
  Regards.
  Ruchit.

• BDC recording for SU01 - Roles

  Hi All ,
  I am using BDC recoording of the SU01 T code for the modification of the end date of the assigned roles .
  In few scenario there are few cases where user does have direct and indirect roles . I am able to change the end date of the direct roles via BDC in SU01 but since indirect roles which are depedent on direct roles and therefore the end date fields is not editable and hence on the warning my BDC is unable to update anything in SU01 .
  Can any one advise , how can i proceed with BDC recording to capture editable and noneditable fields ?

  Hi,
  it's not possible with BDC recording to know if a field is in input mode or only in output mode.
  PS : Search if you cannot used a BAPI. f.e BAPI_USER_*
  REM : Just one remark if you use time assignment
  Time-dependency of user assignment and authorizations                                                                               
  o   If you are also using the role to generate authorization profiles,  
      then you should note that the generated profile is not entered in   
      the user master record until the user master records have been      
      compared. When you specify the users for the role, the system enters
      by default the current date as the start date of the user           
      assignment, and 12.31.9999 as the end date. If you want to restrict 
      the start and end dates of the assignment, for example, if you want 
      to define a temporary substitute for a user, the system             
      automatically makes the changes to the user. This automatic         
      adjustment of the user's authorizations is executed using report    
      PFCG_TIME_DEPENDENCY. In this case, you should schedule report      
      PFCG_TIME_DEPENDENCY daily, for example, early in the morning, to   
      run in the background (in transaction SA38, for example). This      
      compares the user master records for all roles and updates the      
      authorizations for the user master records. The system removes      
      authorization profiles for invalid user assignments from the user   
      master record, and enters authorization profiles from valid user    
      assignments to a role.