S_BCE_68002111 vs RSUSR002

Similar Messages

• RSUSR002 not giving the full story (from an IT Auditor)

  From an IT auditor - old hand at IT - new to SAP
  I run RSUSR002 and input S_TCODE as the auth object and SE30 as the program name. 
  Mu userid appears on the resulting report, as someone who can run SE30.  But, when I try SE30 I am blocked and told I'm not authorized (good).
  So, where do I look, to get the truth about which transactions our users can REALLY execute?  At the moment it looks qwide open, but clearly its not.  Do I have to buy Virsa ?!

  +"Is there any clever report/program out there that will tell me that users A + B can successfully run transaction XXXX - i.e. something that will dig a bit deeper and go to the auth objects for these transactions?"+
  RSUSR002 is reasonably clever for this, even more so if you have synchronized the UST* tables with the USR* tables. But reasonably clever does unfortunately not make it reasonably easy nor anywhere near complete. The question is which objects/fields/values to check using rsusr002 to get the correct answer for the risk you are auditing, considering that the user might have many navigation paths available to get there, possibly also from other clients or systems. You get most of this tricky information from the authority-checks in the application coding, the SU24 check indicators, some customizing settings when used, and some system parameters.
  In the case of SE30, it has nothing to do with the transaction code, considering the risk. (You are probably blocked because of an S_DEVELOP 03 check at start of SE30 - go to SA38 or some other report starter and run report RSHOWTIM or use the "performance analysis" via the menu of SE38. Same thing... sort of)
  These are the obvious risks to audit:
    CALL FUNCTION 'TR_SYS_PARAMS'
         IMPORTING
              SYSTEMEDIT         = SYSTEMLOCK
              SYS_CLIINDDEP_EDIT = SYS_CLIINDDEP_LOCK
         EXCEPTIONS
              NO_SYSTEMNAME      = 1
              NO_SYSTEMTYPE      = 2
              OTHERS             = 3.
    IF SY-SUBRC <> 0.
      MESSAGE ID SY-MSGID TYPE 'S' NUMBER SY-MSGNO
              WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.
      EXIT.
    ENDIF.
    IF   SYSTEMLOCK <> 'N' AND
       ( SYS_CLIINDDEP_LOCK = ' ' OR SYS_CLIINDDEP_LOCK = '1' ).
  *   system is not locked, component locked ?
      CALL FUNCTION 'TR_GET_DLVUNIT_CHANGEABILITY'
           EXPORTING
                IV_DLVUNIT       = 'LOCAL'
           IMPORTING
                EV_CHANGEABILITY = CHANGEABILITY
           EXCEPTIONS
                INVALID_DLVUNIT  = 1
                OTHERS           = 2.
      IF SY-SUBRC <> 0.
        MESSAGE ID SY-MSGID TYPE 'S' NUMBER SY-MSGNO
                WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.
        EXIT.
      ENDIF.
      IF CHANGEABILITY = 'N'.
        MESSAGE S400(S7).
        EXIT.
      ENDIF.
    ELSE.
  * system locked
      MESSAGE S840(TR).
      EXIT.
    ENDIF.
    AUTHORITY-CHECK OBJECT 'S_DEVELOP'
                    ID     'OBJTYPE'   FIELD 'PROG'
                    ID     'DEVCLASS'         DUMMY
                    ID     'P_GROUP'          DUMMY
                    ID     'OBJNAME'          DUMMY
                    ID     'ACTVT'     FIELD '02'.
  (check that the system is not modifiable in SE06, check SCU3 for table T000 that the clients are not open (and ask for documentation when they were) and use rsusr002 for S_DEVELOP actvt 02 object type PROG)
  or
  FORM in_authority_check.
  * ec Dez. 2002 auf ACTVT 16 explizit prüfen!!
  *  authority-check object 'S_DEVELOP'
  *           id 'DEVCLASS' dummy
  *           id 'OBJTYPE' field 'FUGR'
  *           id 'OBJNAME' field rs38l-area
  *           id 'P_GROUP' dummy
  *           id 'ACTVT' field '03'.
    AUTHORITY-CHECK OBJECT 'S_DEVELOP'
             ID 'DEVCLASS' DUMMY
             ID 'OBJTYPE' FIELD 'FUGR'
             ID 'OBJNAME' FIELD rs38l-area
             ID 'P_GROUP' DUMMY
             ID 'ACTVT' FIELD '16'.
    IF sy-subrc NE 0.
      MESSAGE e099.
    ENDIF.
    IF trdir-name = g_testprog.
  * Authority-Check, Ausführberechtigung
      CALL FUNCTION 'RS_ABAPSUBMIT_AUTH'
        EXPORTING
          program_header   = trdir
          variant          = ' '
        EXCEPTIONS
          just_via_variant = 01
          no_submit_auth   = 02.
      IF sy-subrc NE 0.
        MESSAGE e099.
        LEAVE.
      ENDIF.
    ENDIF.
  (rsusr002 for s_develop actvt 16 object type FUGR -> nothing else, unless you are on a release lower than 6.40 and have not manually implemented OSS 587410, in which case check s_develop 03 FUGR only)
  This is the easiest way I can think of auditing most of "SE30".
  Also note that once someone gets their hands on authorizations such as these the chances of finding them via RSUSR002 or such tools will decrease rapidly.
  Cheers,
  Julius

• Auditing Authorisations - RSUSR002 or a Tool?

  I'm an IT auditor and have recently been working on a number of audits of SAP systems in particular looking at segregation of duties and access to certain transactions. I use RSUSR002, S_TCODE and then the relevant authorisations objects and activities etc. by looking in SU24.
  I've never had use of a tool to carry out this and was wondering what feedback people have from using them. CSI I know is an example of one and that the big audit firms also have proprietary tools.
  As each installation I look at is generally different and different transactions and authorisation objects are used I was wondering is my manual RSUSR002 way nearly as effective and fast or do these tools really speed up the process. If anyone has any experience using the tools and could provide feedback or if there are example of the data they produce freely available that would be very useful.

  Hi,
  I've never had use of a tool to carry out this and was wondering what feedback people have from using them. CSI I know is an example of one and that the big audit firms also have proprietary tools.
  I am a happy (co)author of a tool that you may find useful. My company`s customer fo find it useful. But I am not going to sell you anything here, I would like to ask you some more questions (instead of giving answers, sorry for that).
  I would like to know:
  - how would you describe your skills? Varying from "push the button user" to "revising the security concept type of auditor" we need to know more about what you can do, maybe what you were instructed to do, what you were paid to do, how much time do you have.
  - I guess you work for an auditing company, not a customer, is that right? Because that would make a difference. Internal auditors are trying to protect the company (so I heard), but the external ones know that finding "bugs" is "bonus-relevant"
  - do you want to audit SoD, or overall authorization concept or what exactly do you audit? Transaction level indicates me, that the "depth" of the audit might not be very "deep" or could be different in goal or scope from what I ahve experienced so far
  I am not a native Eng. speaker and am affraid that this might sound sarcastic... please, no offense, I just want to know more about what you want to do, because only then I can have suggestions. Otherwise I would be suggesting nonsense (or just saty quite:)).
  Have a nice day and good luck with the tasks,
  cheers Otto

• RSUSR002 - search by ranges

  Hello Everyone,
  I need to run a report (RSUSR002) which would list all users being able to change/view G/L records for a number of company codes. In the "Selection by Values" area of the report, I enter F_SKA1_BUK, for "Activity" I put 2 AND 3, however I am not sure how to put ranges in the "Company Code" area.
  Does anyone know what is the correct syntax for ranges (i.e. 1111-3333) and also for being able to search for more than 2 values in the activity field(i.e. 1, 2, 3, 4)?
  Many thanks,
  Martin

  You can get the same informayion if you`ll go to table
  AGR_USERS and AGR_1251!!
  also refer to thread !!
  Re: Security reports
  Hope this’ll give you idea!!
  <b>P.S award the points.!!! !!!</b>
  Good luck
  Thanks
  Saquib Khan
  "Some are wise and some are otherwise"

• RSUSR002 and Valid To date

  I am currently running 4.6C and when I execute RSUSR002 to show which users are assigned to a role the data being returned is ignoring any valid to dates which have been set for that role within a user's account, thus we are receiving "false positives" when trying to determine what users are actually assigned to an activity group.  I know there are other methods of obtaining this data, but does anyone know how to get the correct data returned via rsusr002?
  Thanks!!

  Hi Lisa,
  as Lakshmi stated the valid to dates returned by RSUSR002 are the dates from the user (as this is a user report). An option to filter afterwards only the valid assignments is in the output list switch to "roles". That output you can then filter for valid (direct) assignments only.
  Apart from that the report is showing the assignments of all roles (regardless of their valid to dates) as the role is still assigned to the user. The only thing that is effected by the role's valid to dates are the actual profile assignments. If you want to get rid of your false positives you have to remove outdated roles in regular intervals.
  Kind regards
  Petra

• Accuracy of RSUSR002

  Hi there - hope all is good with everyone. I am encountering an issue with one of SAP's built-in reports and I was wondering if there is a workaround for this. I have been given the task to review user access in our SAP instance and I used report RSUSR002 to generate a list of all users who can create entries in the chart of accounts. The query I am running is as follows:
  S_TCODE=FS00 with authorization objects F_SKA1_BUK (ACTVT=01 and BUKRS=), F_SKA1_KTP (ACTVT=01 and KTOPL=).
  I generated a fairly large number of users who can do this and one of the users on the list decided to test FS00 and check whether she is really able to do this. When she tried creating a master record an error was generated that she was missing authorizations. Further check of her roles identified that she has only F_SKA1_KTP (ACTVT=03).
  I re-ran report RSUSR002, this time querying only for users who have F_SKA1_KTP (ACTVT=01) assigned and she comes up again on the list. So it looks like the results produced by RSUSR002 are incorrect for some reason. This is quite disappointing since I spent a week testing for various combinations of t-codes and auth objects and now it looks like the result is completely unreliable. Any advice, ideas suggestions for workarounds or root cause will be very much appreciated.
  Thanks so much!
  Martin:

  From many transactions (e.g. FB03) you can display accounting documents and "see" the GL account they are posted against.
  If you double-click the account you will be in FS00. The transaction code itself is not necessarily critical, it is more dependent on the authorizations to use the transaction.
  For auditoing, you can in almost all cases forget about the transaction code! The most important aspect of transactio code contexts is that you can turn some objects OFF for authority-checks (the return code is set to 0).
  See the documentation on transaction SU24 and SE97 and the FAQ thread (top of the forum).
  Cheers,
  Julius

• Schedule background job

  There is a background job that currently runs every 1 min.
  How can we schedule it to run only from 9am to 6pm everyday?
  (Could not find any options in SM36 for that one!)
  Any inputs will be highly appreciated.
  Thanks
  Prasad

  Prasad,
  Please follow the below steps:
  1. Go to SM36 give the job name i.e. ZABC_MYJOB
  2. Click on Steps (Upper left corner - 2nd Button) and assign the ABAP report name .i.e. RSUSR002, Check and Save.
  3. Click on Start Condition (Upper left corner - Ist Button), click Date/Time and specify the Start Date and Time.
  4. Select "Periodic Job"  and click on Period values now click on Other Period
  5. Now input 1 in the Minute Box. , and check and save.
  6. Again Check and Save. and Again Check and Save.
  7. Now save the job.
  This job will run after every 1 minute.
  Thanks
  LK

• Users by default logon language

  Hi
  I am trying to find out how many users logon to our global EEC5 system from different regions/countries, due to the lack of information entered in SU01 during the creation of users, I think the only reliable information to search on is 'Logon Language' in SU01 defaults, as we do setup the users to logon via their region logon language in the defaults, this should give me a rough guide at least !
  Looking at SU01 and the reports in SUIM, I cannot find a report where I can search using logon language as the key? I've had a look in the technical information for field logon language in SU01 and the field name is LANGU, but when I use this field name in SUIM --> Users by complex selection criteria (RSUSR002) -- > field name LANGU and value as language key = DE for example no matching results displayed, even though we have over 00 users with a logon language default set as DE.
  Does anyone know a way I can list the users by logon language set as their default?
  Thanks for any help.

  This details can be found from the Report RSUSR200 (users by Logon date and password chage). Please deselect all options and keep the following selected:
  Users Valid Today
  Users Not Locked ; Users Locked
  Users with no incorrect Logon attempts
  Dialog Users
  Users with Productive password
  Users with initial Password
  users with deactivated password
  Execute and check / download the list.
  Regards,
  Dipanjan

• User - Profile link table?

  Hi All,
  We are connecting via SAP JCo  to an ECC 6.0 system. The task is to retrieve all users that have a specific set of profiles.
  Currently we are using RFC_READ_TABLE on USR02 to get a list of User Names, and then with each name making a call to BAPI_GET_USER_DETAIL and then checking if the user has the specified profile.
  This works fine if almost all users have one of the specified profiles, but isnt so great if only a few of them do as it makes a call to the BAPI for every user. It would be much better if we only had to make the BAPI call for those users that we already knew had the specified profiles.
  My question, Surely there is a link table or somewhere that links the users to the profiles, Where abouts is this, or what is it called.
  Any help or pointers would be much appreciated.

  Hi Paul,
  There is a standard SAP report that list users assigned to a specific role (program name is RSUSR002).  I've had a quick skim through the code and there's nothing obvious, but you may find something of use in there.
  Regards,
  Nick

• Authorization: how to denying access

  In web.xml it's possible to define which url's are passwordprotected. Like:
  <security-constraint>
  <web-resource-collection>
  <url-pattern>Default/*</url-pattern>
  <url-pattern>Portaal/*</url-pattern>
  <url-pattern>Informeren/*</url-pattern>
  <url-pattern>Behandelen/*</url-pattern>
  </web-resource-collection>
  <!-- authorization -->
  <auth-constraint>
  <role-name>sr_developer</role-name>
  </auth-constraint>
  </security-constraint>
  My problem with this is that when I forget a url, the user can get there without password. That's not what I want. I want him only to be able to access the url's I mentioned, not more. Is that possible?
  Regards,
  Eelco

  Schöne guete Morge Julius
  Kei angscht, ich han kei Ziit verschwendet und bi au scho uf RSUSR008_009_NEW und S_BCE_68002111 choo, aber jetzt wiiter in englisch für üsi Kollege.
  Dear Julius,
  Many thanks for your hint. But I found already report RSUSR008_009_NEW and transaction S_BCE_68002111.
  But unfortunately there are 2 hindering factors:
  a) To set up a clean base for this analyizing tool set we need some more time and knowledge.
  b) SAP itself says there are some incorrect results for roles. See http://search.sap.com/ui/notes?id=0001888266
  (The problem is, at the moment we cannot /do not want to install those corrections, according to my Basis collegue.)
  As fas as I know about TCD S_BCE_68002111, this could/would be of great help.
  Do you have or do you know some more tutorials or tranining material about transaction S_BCE_68002111? Any help will be appreciated.
  Regards,
  Markus

• Help restricting report output

  Hi All,
  Just a quick caveat before I expose my significant ignorance, I have no SAP training or background. Nearly all of my SAP knowledge has come from Google Unfortunately I've come to an impasse that even Google can't help me with
  Ive been working on some log analysis for my client. Some of the information I get from them comes from SAP, so I've been attempting to automate the SAP request from Perl. Ive done a bunch of work and found out what their transaction names translate to, and I can now call the report from Perl using SAP::Rfc.
  The code I use looks like this:
  #!/usr/bin/perl
  use strict;
  use warnings;
  use SAP::Rfc;
  use Data::Dumper;
  my $rfc = new SAP::Rfc(
       ASHOST => 'host',
       USER     =>     $uid,
       PASSWD     =>     $password,
       CLIENT     =>     '100',
       SYSNR     =>     'PD1',
       TRACE     =>     '1');
  my $interface = $rfc->discover("INST_EXECUTE_REPORT");
  $interface->PROGRAM( "RSUSR002" );
  $rfc->callrfc( $interface );
  print Dumper \$interface;
  $rfc->close();
  What I need to do now is define the from date, from time, to date and to time to restrict the number of rows returned by this report. Ive looked through the traces and the Dumper dumps to try and find the answer with no luck, and as mentioned Google has let me down too
  Can anyone help me, or provide a small hint?
  Thanks for your help!

  Hi,
  I've been given reports that humans produce for review. They would like to automate the collection of the information from SAP as well as the analysis jobs that have been created.
  My initial idea was to have my job run the reports the humans do, however I've not been able to find any information on how to use SAPRFC to do such a thing, so I resorted to looking at tables via RFC_READ_TABLE. This is working so some extent however I currently can't find out what a users organisaitonal unit is, and even if I did, I don't know how to build a query with SAPRFC to do the lookup.
  Has anyone had any experience joining tables using RFC_READ_TABLE, or perhaps a more appropriate function?
  Thanks!

• Regarding ABAP Query authorization group

  Hi Team,
  This is regarding ABAP Query!
  I have created one authorization group, for testing i have assigned my id in authorization group.
  After creation of ABAP query,standard program got generated. Now i have created one transaction code at the last for the ABAP Query.
  Now the isse is even though i have deleted my id from the authorization group. I am able to execute the query from SQ01 and with the Transaction code .
  It should not happen...i want who soever id is mapped to the transaction code ...that member should only be able to run that query, otherwise there is no use of authorization group.
  Please help me out in this case.
  Thanks & Regards,
  Anil Kumar Sahni

  Are you sure that you don't have access to that authorisation group? Execute report RSUSR002. In the 'Authorization Object 1' block inform  S_TABU_DIS in 'Auth.Object' and accept. Then inform Activity=03 and Auth.Gruop= your group.
  You will get a list of all the users which, theoretically, will be able to execute the query. If you press 'Roles' or 'Profiles' in the toolbar of the listing you will get to know why you have authorisation. May be you have the SAP_ALL profile.
  Also, one more thing to take into account: how have you created your transaction? Is it referring directly to the generated report? Then it is an error, you should execute program SAP_QUERY_CALL. Read this post: [Relate transaction to query;

• SAP&_TRANSAKT

  hii
     i want to display all the users with a particular t-code so i am executing suim
  but when i am clicking on the below mentioned path
       user information system
          --->user
  >user by complex selection criteria
  > by transaction authorizations
  i am getting a error which says "Variant SAP&_TRANSAKT of program RSUSR002 is not the current version"
  can nebody plz help me on this
  regards
  siddharth

  Hello Siddharth,
  Guess you have done a support pack import or upgrade. This happens after that. Simple solution: Execute the report RSVARDOC  for the report RSUSR002 and the variant SAP&_TRANSAKT(generally do it for all variants of this  report).
  Just to elaborate if a support pack or upgrade changing the structure of slection screen of a report then variants are pretty much rendered useless as they are still based on old information. It not only happens for standard SAP variants but custom ones. Using RSVARDOC you are in a way recreating the variants in tune with the latest settings.
  Regards.
  Ruchit.

• Maintaining/updating a table without access to SM30

  Hello,
  Does anyone know if it is possible to change table entries without having access to SM30/31 (i.e. for example if being able to execute the program on which the transaction is based). I am trying to find all users who can modify the exchange rates table (TCURR). I executed report RSUSR002 with arguments: Authorization Object=S_TABU_DIS, Activity=02 and Authorization Group=FC32 (obtained it from TDDAT). Do you know if this approach is correct? If I add an additional filter, such as all users who also have access to transaction SM30, the list is much smaller?
  Thanks a lot!
  Martin

  Hi Martin,
  Have you looked standard program <b>RFDWZFF0</b>?
  Hope this will help.
  Regarsd,
  Ferry Lianto
  Please reward points if helpful.

• How to find the users who r assigned to profile sap_all through su01

  how to find the users who r assigned to profile sap_all through su01

  you can get into SUIM-->where used lists, check for users with profile SAP_ALL you can get a list of users who have
  it. and you can get into SUIM through SU01 from user information system link.
  you can execute RSUSR002 from SA38/SE38.
  RSUSR002  is the report which gets you the whereused list for profiles within roles, users.
  you can get it from transaction SECR ofcourse you are executing the same report.
  you can get from UST04 table and obviously USR04 also because sometimes you  miss some details from UST04 because of sync problems.