Maintain Critical TCode
Dear Expert,
Could you please help me? Due to system Audit I have maintain(register) in SAP the critical T-code through S_BCE_68001401 --> View critical combination --> Change critical combinations.
Transaction Combinations Critical for Security
Transactio Transactio Transactio Transactio TransactioText DeleteFlag
FB01 FB02 PFCG SE38 SU01 Customer's own ent
MMPV XK01 XK02 XD01 XD02 Customer's own ent
SU02 SU03 SE01 Customer's own ent
This the example T-code that I declare as a critical T-code
But when I execute by choose --> view by users
I get a list from SAP like this
AMALIA
SU02 Maintain Authorization Profiles
SU03 Maintain Authorizations
SE01 Transport Organizer (Extended)
FB01 Post Document
FB02 Change Document
PFCG Role Maintenance
SE38 ABAP Editor
SU01 User Maintenance
But actually amalia have MMPV authorization
My question is: is what T-code can be used to define the critical T-code and how to create a report
beside using SUIM.
Thank you in advanced
Best regrads,
Maya
Dear Chinmaya,
Your suggestion is actually the same that what I did, due to the restriction I define the critical T-code in SAP testing and transport to SAP Production. But the report result is not correct, because I have assign one critical T-code for specific user and the user is not appear in the report.
My question is why? Thank you
Best regrads,
Maya
Similar Messages
-
FF 5.2 - Critical TCodes for Log Analysis
Hi,
What is the typical config for "refer to critical tcodes in CC ZVRAT" in FF 5.2? is it better to maintain the Critical TCodes for FF in its Own table and not refer to CC
We are having issues with maing FF refer to the Critical TCodes list in CC, has anybody had this issue, if yes please list what the workround is.
ThanksHi,
What is the typical config for "refer to critical tcodes in CC ZVRAT" in FF 5.2? is it better to maintain the Critical TCodes for FF in its Own table and not refer to CC
We are having issues with maing FF refer to the Critical TCodes list in CC, has anybody had this issue, if yes please list what the workround is.
Thanks -
Authorization to maintain critical combinations / authorizations
It seems like there should be an easy answer to this, so pardon me if I've missed the obvious.
I've been looking into transaction RSUSR008_009_NEW (List of users with critical combinations), but when I click either the "Critical Combinations" or "Critical Authorizations" buttons at the top, I get a "No Authorization" error. What authorization do I need to maintain the critical combinations?
Thanks in advance,
DanThanks.. that was the first thing I did when I got the error, but the result was meaningless. Having just tried it again though, the results were more useful. Can't imagine what I did wrong last time.
Anyway, the SU53 indicates I need t-code VCUSRVARCOM_DISP.. but I imagine there's more to it than that. I found a few possibilities:
SU_VCUSRVARCOM_CHAN - Maintain View Cluster VCUSRVARCOM
SU_VCUSRVARCOM_DISP - Display View Cluster VCUSRVARCOM
SU_VCUSRVAR_CHANGE - Maintain View Cluster VCUSRVAR
SU_VCUSRVAR_DISP - Display View Cluster VCUSRVAR
Bonus points to anyone who can produce a URL to some official information about this.
-Dan -
Critical actions in SPM reports
Hi all,
One question in the way SPM retrives data from when reporting:
I have seen in SPM report "SoD Conflicts Report" that SPM integrates with RAR in order to identifiy SoD Conflicts.
Regarding, the critical actions filtering applied in SPM reports, where this information validation is it retrieved from? Critical actions defined in RAR OR critical actions maintained in R/3 transaction VFAT? What is to say in frontend (RAR) or backend (R/3)?
Many thanks in advance. Best regards,
ImanolHi Imanol,
It totally depends on your configuration. Go to SPM/FF -> Configuration tab. There is a parameter called 'Critical Transaction Table from Compliance Calibrator (VRAT)'. If the value is not maintained or if the value is 'NO' then SPM/FF will look at it's own critical tcode table. If the value is 'YES' then SPM/FF will look at RAR/CC for critical tcode table and you don't need to maintain critical tcodes in SPM/FF.
Regards,
Alpesh -
5.2 -- GOTO SE16 and enter TSTC for TABLE NAME. TCODE FIELD /VIRSA*
Should the following tcodes work? If so, how do I troubleshoot the ones that don't work? If not, how do they get configured to work? Can someone provide a link for documentation?
TCODE TTEXT
/VIRSA/ALERTGEN Activity Monitoring
/VIRSA/MICCONFIG Virsa MIC User mapping Configuration
/VIRSA/ORGUSRMAPPING Maintain ORGUSERS table
/VIRSA/RE_DNLDROLES Role Expert 4.0
/VIRSA/VFAT Firefighter
/VIRSA/VRMT Role Expert
/VIRSA/ZMGMTRPT Management Report Graphical View
/VIRSA/ZRTCNFG Risk Terminator Configuration
/VIRSA/ZRTDELLOCK Delete Role Lock
/VIRSA/ZRTRGLOG Risk Terminator Role Generation Log
/VIRSA/ZVFAT_U02 FirefightId Log summary
/VIRSA/ZVFAT_U03 Reason/Activity report
/VIRSA/ZVFAT_U04 FirefightId Transaction Usage
/VIRSA/ZVFAT_U05 Invalid Firefighter Ids/Owners/Cntrl
/VIRSA/ZVFAT_U06 SOD Conflicts in Firefighter
/VIRSA/ZVFAT_U07 Data Migration from Master to Text
/VIRSA/ZVFAT_V01 Log Report
/VIRSA/ZVFAT_V02 Log Report
/VIRSA/ZVRAT SAP Compliance Calibrator
/VIRSA/ZVRATBAK1 Update data for Mgmt Graphical View
/VIRSA/ZVRAT_C01 Security & Controls Policies
/VIRSA/ZVRAT_COVN Conversion of CC tables, Old to New
/VIRSA/ZVRAT_D01 Download Spool Requests by Job Name
/VIRSA/ZVRAT_L01 Conversion Utility for CC Text Table
/VIRSA/ZVRAT_L02 Conversion Utility for Long Texts
/VIRSA/ZVRAT_M01 Upload/Download CC tables
/VIRSA/ZVRAT_M02 Where Used list of Mit. Control Id/M
/VIRSA/ZVRAT_M03 Analyze disabled SOD TCode & Object
/VIRSA/ZVRAT_M04 Optimizer for SOD Data Table
/VIRSA/ZVRAT_M05 Where Used list of Control Id/Monit
/VIRSA/ZVRAT_MG1 Management Cockpit
/VIRSA/ZVRAT_P01 Display changes to Profiles
/VIRSA/ZVRAT_R01 Count authorizations in roles
/VIRSA/ZVRAT_RB2 Rule Architect
/VIRSA/ZVRAT_RB3 Rule Architect Conversion
/VIRSA/ZVRAT_S01 Monitor Conflicts & Critical Trans.
/VIRSA/ZVRAT_S021 Monitor Conflicts & Critical Trans.
/VIRSA/ZVRAT_S03 Download Objects for Tcodes
/VIRSA/ZVRAT_S04 SOD Conflicts for TCodes and Objects
/VIRSA/ZVRAT_S05 SOD Rule Wizard
/VIRSA/ZVRAT_S06 SOD Rule Validation Tool
/VIRSA/ZVRAT_S07 Non Reference Report
/VIRSA/ZVRAT_S08 User Access Report
/VIRSA/ZVRAT_S09 Comparing diffrent SOD Matrices
/VIRSA/ZVRAT_S10 Tcodes by Roles/Profiles, never exec
/VIRSA/ZVRAT_S11 Authorization object by Roles/Profs
/VIRSA/ZVRAT_S12 Transactions executed by Users
/VIRSA/ZVRAT_S13 Comparing Critical Tcode Matrices
/VIRSA/ZVRAT_S14 Comparing SOD Authorization Matrices
/VIRSA/ZVRAT_S15 Compare Sod Tcode & Authorization
/VIRSA/ZVRAT_S16 Comp.Calibrator Data Maintenance
/VIRSA/ZVRAT_U01 Count authorizations for Users
/VIRSA/ZVRAT_U02 Analysis of called trans in Cus.code
/VIRSA/ZVRAT_U03 Management Report
/VIRSA/ZVRAT_U05 Expired and Expiring Roles for Users
/VIRSA/ZVRMT_U01 Check Role Status
/VIRSA/ZVRMT_U02 Check Tcodes in Menu & Authorization
/VIRSA/ZVRMT_U03 Compare Users Roles
/VIRSA/ZVRMT_U04 List roles assigned to a user
/VIRSA/ZVRMT_U05 Where used list for roles
/VIRSA/ZVRMT_U06 List roles and transactions
/VIRSA/ZVRMT_U07 Create/Modify Derived Roles
/VIRSA/ZVRMT_U08 Analysis of Owners Roles and UsersHi Greg,
Most of the TCodes work but they are not being used. Which products do you currently have? Most of these tcodes are obsolete as they were part of old Virsa products. Here is the explanation:
-> At the start, Virsa had five different products namely Compliance Calibrator (CC), Fire Fighter (FF), Role Expert (RE), Risk Terminator (RT) and Access Enforcer (AE). Except AE, all other products were developed into SAP R/3 using ABAP so the transaction you see are coming from those four products. As of now, CC and RE has been moved to Java (same as AE) but RT and FF still reside in ABAP side.
-> You should be able to configure Tcodes related to FF and RT. You do not need to configure Tcodes for CC and RE.
-> You must be wondering how did you get all these Tcodes? Through the RTA (Real Time Agent) you have installed for GRC AC 5.2 in your SAP backend system. Even though, AC 5.2 does not need full blown products in the back-end, RTA still contains all of those products.
-> To start using these products, you will have activate BC sets. I do not recommend you to use CC and RE, if you are already using those products via Web front-end. FF and RT has some pretty good features.
-> Please follow AC 5.2 configuration guide to configure FF and RT.
If you don't want to use any of these, don't bother. These tcodes don't affect anything in your system.
Regards,
Alpesh -
About Condition Maintain in CRM
hello, CRM experts.
I have a qusestion here.
Actually I'm attending a CRM leasing project, and in contract, we use conditon type/function 4F30 to determine the Financed Amount of leasing.
I check the condition mapping configure that 4F30 is mapping from condition type/function 4A10.
But now I find I can't maintain condition record for 4A10.
I have checked the CAI tools and Maintain Conditions tcode '/SAPCND/GCM', but find no way to add condition record in type 4A10.
Could any one support on this?
What's the correct way to maintain this condition type?hello, Animesh.
Thanks for your reply.
Actually we expect the finance amount could be determine automatically base on the condition record or CAI, not manually.
So we should first maintain the condition record preliminarily.
the condition function for finance amount is 4F30, but if you check the condition type definition of this one, you will find the condition function is also 4F30, and no access sequence assign to it.
And checking the configure Financial Services->Leasing->Pricing->Define Condition Mapping, I find the 4F30 is copy from 4A10 (pricing process here is NEWO).
But the problem I face to is where is the type 4A10 record comes from?
I can't find a way to maintain condition record for type 4A10 in CAI or normal condition maintain tcode.
Could you help on this?
Or is there anyone know the correct way to make 4A10 or 4F30 condition work?
thanks in advanced -
Function module to read hierarchy based on values maintained in assigned au
Hi All,
Is there any standard FM which will return values in the hierarchy based on assigned authorization maintained in tcode RSECADMIN
example value maintained:
Type of authorization for a hierarchy - 1
Hierarchy level - 0
Area of validity u2013 2
FM should take care of user as the values maintained for type of authorization, hier level, area of validity will be different.
Help on this regard will be highly appreciable.
Thanks.Hi,
Pls try this:
RSNDI_SHIE_STRUCTURE_GET3
RSSH_HIERARCHY_READ
RSAR_HIERARCHY_GET
Looking up BW-Hierarchy with ABAP
Regards
CSM Reddy -
Hi all,
Please tell me that which number range we use to maintain in tcode OMH8. It says that its for service specification but what is this service specification exactly? I dont know what is service specification. Is it in service master or where?
Please respond.
Best Regards,
AI.hi al,
Use transaction ML10 to create service specification.
Service specification can be also be created in the form of Purchase requisition. The document must contain the set of service specification listing the necessary services in detail. The details of service specifications can be maintained at item detail level wher u can enter description, qty, price and other details. We can summarize both service with master records and without master records in service specifications.
We can have a maximum of 4 hierarchy levels at outline levels.
Regards,
Nani. -
EDI partner profile not maintained.
I am currently working on BI 7 and on trying to install ODS from BC its giving me error that
<b>EDI partner Profile is not maintained.</b>
Can somebody please send me the documents on how to maintain EDI partner profile for transferring data from ODS to Infocube.Hi Amit,
EDI partner profile is maintained using Tcode WE20.
YOu need to select LS (Logical System ) and your Source System.
And maintain Inbound and Outbound parameters here.
Check OSS Note 886102 - System Landscape Copy for SAP BW 2.X, 3.X and NW2004s BI
Step 6.8: Reactivate all partner profiles that carry the new logical system name after renaming
Execute Transaction WE20 to reactivate the partner profiles. Choose "Partner type LS (logical system)" enter the logical system name of the partner in tab "classification", change the partner status from "I" (inactive) to "A" (active) and save.
Hope this Solves your problem
Thanks
Ck -
Tcode SQVI post any security threat in production system ?
hi,
my user is requesting to use tcode sqvi in production, but authorisation team do not allow as the tcode will allow user to do query across.
is SQVI a security critical tcode that we should not let user have in Production system ?
comment and advice will be highly appreciated.
regards,
kent>
Kent SAP wrote:
> hi,
>
> my user is requesting to use tcode sqvi in production, but authorisation team do not allow as the tcode will allow user to do query across.
>
> is SQVI a security critical tcode that we should not let user have in Production system ?
>
> comment and advice will be highly appreciated.
>
> regards,
> kent
i'm sorry i saw this post too late ... of course SQVI is VERY security-critical. It requires S_TABU_DIS on every table used in sqvi. if you have more than one company code, more than one plant, more than one purchasing organisation you will no longer be able to prevent your user reading data from other organisational structures!! you might as well give access to SE16(N) then.
follow this thread about queries (sqvi is a small-time query) in the SDN security-forum for more on the topic:
How to override security for table access when using SAP Query?
Edited by: Mylene Euridice Dorias on May 29, 2008 1:31 PM -
Maintain notification long text in IW21
Hi Expert,
I have one requirement as follows:
In TCode IW21: Create PM Notification, client wants Notification Long should appear as a Template from Standard Text (TCode: SO10).
Now I want to fetch this Std. Text which is maintained in TCode SO10 and show it at Notification Long Text while creating Notification using TCode: IW21.
Please guide me how to do this functionality using any User Exit or any Enhancement available in SAP.
Thanks,
Jay.Hi,
Create SAP standard text
DATA: IT_TEXTS type standard table of TLINE,
wa_texts like line of it_texts,
THEAD TYPE THEAD.
**Populate text table
wa_texts-tdformat = '*'. "new line
wa_texts-tdline = 'First line of text'.
append wa_texts to it_texts.
clear: wa_texts.
wa_texts-tdformat = '='. "continuation line
wa_texts-tdline = 'still first section of text'.
append wa_texts to it_texts.
clear: wa_texts.
**Also need to Populate THEAD details which can be gathered from the Text Identification Details
CALL FUNCTION 'CREATE_TEXT'
EXPORTING
FID = THEAD-TDID
FLANGUAGE = THEAD-TDSPRAS
FNAME = THEAD-TDNAME
FOBJECT = THEAD-TDOBJECT
SAVE_DIRECT = 'X'
FFORMAT = '*'
TABLES
FLINES = IT_TEXTS
EXCEPTIONS
NO_INIT = 1
NO_SAVE = 2
OTHERS = 3.
Thanks,
Abhijit -
Delivery Instruction address is maintained in Tcode :- MEAN
Is there any table for MEAN ?
I could not search "Delivery address master data" by address number mentioned in purchase order under "Delivery Address" tabHi,
"MEAN" transaction internally calls "SADR" transaction. This transaction uses "SAPMSADR" program. This program uses the following tables
TSAD7(Address Groups) and TSAD8(Groups of Persons).
Regards,
Suman -
Restricting SCC4 Tcode, from the Role that was extracted from SAP_ALL profile
Hi,
Recently we have created a role extracting from SAP_ALL profile. We have deactivated many Basis, and other Critical Tcodes for our Dev & QTY systems by identifying the authorization objects.
But- for SCC4 we want to know if there is any other way to restrict the access.
Since we created the role by extracting the profiles from SAP_ALL. S_TCODE has * value, and S_TABU_CLI: has "X" value.
- problem is we cant deactivate or limit the usage of S_TABU_CLI:X as we have many ZTcodes for direct maintenance, which needs this AO.
- At the same time, we are trying hard to restrict SCC4.
So, please suggest if there is any other alternative way to restrict Tcode SCC4, by not being able to run using the New Role.
Regds,
Satish.First of, let me say that I fully agree with Sunil Bujade. The building block approach is the way to go when designing roles.
But if we're being practical, you could use authorization groups for tables (T-code SE54) and assign a custom auth. group to table T000. Then use this group to authorize (or actually not authorize) with object S_TABU_DIS.
Again, this is just a practical tip. The whole "create a role from SAP_ALL" thing is a totally different subject altogether.
Good luck!
Dimitri. -
Hi,
Critical Tcode 'MB1A' has been granted to many user IDs in PRD, and sometimes this is inappropriately used for posting Inventory Scrapping without proper approval. Can you please advise if there is any workflow or function to control posting this kind of trx in MM? If not, please advise the best practice to control this exposure.
Thanks and Regards
Chandru.Hi,
You can always ask your auhorization consultant for some help.
Or you can do a quick fix and:
Check out the movement type codes your users are incorrecly using and go to tcode OMJJ. Here, and for each code, acess 'allowed transactions' and eliminate the lines containing 'MB1A'.
Regards. -
Hello Friends,
What is the main use of SE43N (Area Menu Maintainance)
this tcode, can any one Explain me this.
Regards,
DVNS.Hi,
The CUA area menus are converted to tree navigation in Release 4.6A. The menu contents are automatically copied into a new data structure in Upgrade to Release 4.6A or higher. You can edit Area Menus with a new maintenance interface (Area Menu maintenance transaction: SE43 ).
Reporting Tree Integration
Only transactions could previously be put in Area Menus. From Release 4.6A you can also put all the types of reports which are in reporting trees, in Area Menus. The system automatically assigns a transaction code to call the report from the menu. If you have already put the report in another Area Menu, no new transaction code is generated, the unique transaction code already assigned is used.
You can create Area Menus from complete reporting trees with the migration transaction RTTREE_MIGRATION . The report transaction codes are generated automatically.
Reporting trees can only be displayed. They cannot be maintained. To modify the contents of reporting trees, you must convert them with the migration transaction. You can then modify the contents with the Area Menu maintenance.
Advantages of the new Area Menus
The new data structure has the following advantages:
Delinking by reference technique
You can construct a menu from submenus which are maintained separately in different systems.
Less restrictions
The new area menus have no nesting level limit like CUA menus. The allowed length of menu texts has increased to 75 characters.
Restrictions
The following components of the previous area menus are no longer supported:
Application toolbars
Fast paths
Procedure for creating area menu maintenance:
1. Enter a name for the Area Menu in the Area Menu input field. Do not use Umlauts or special characters in Area Menu names; they are not allowed in object names.
2. Choose Area Menu ® Create.
3. Enter a meaningful description for the Area Menu in the following dialog box.
4. Choose Insert entries.
regards,
vasavi.
kindly reward if helpful.
Maybe you are looking for
-
How can I convert a catalogue from PSE on an old PC to a PSE 11 catalogue on another PC?
I tried to do it according to the instructions in the help menu, however PSE 11 does not even recognize the file format.
-
I want to network a PC with my Mac. I did buy a router but was told be customer service of the router company that they did not support Mac software. I had my network up for about a half hour. I need to know what router to buy for my network. The PC
-
anyone know how to paint the track of a jslider until it's current value.. an example would be: http://www.geocities.com/shfarr/img/lafshots/controlpanelaccess.png
-
I recently had to do a clean install of my computer and tried to run my Adobe applications after installing them from a hard drive backup. It keeps giving me Configuration Error 1. I tried to take a different route and use my serial number to activat
-
Hello, Was looking at the CAR report in my cucm and i am seeing excessive packet loss,jitter and latency at the destination phone. while the users themselves dont seem to complain. Wondering if it has got to do with device at destination happens to b