Transaction to list userswith SAP_ALL&SAP_NEW Authorisation

Hi,
Can some one please tell me if there is a transaction by which we can find out the list of users that has the SAP_ALL and SAP_NEW authorisation profile assigned to it.
Thanks
Priya

Hi Frank,
There are ways of automating some of it if the assumption that change documents
are created holds true (meaning that the preventative measures of bypassing the
creation of change documents are implemented) and even better if an (ab)user
does not know about the control...
Here are some of them which I have seen: (actually one of them did see me first
One of the better solutions involved both an interrogation of user to profile
assignments (USR04) AND the change documents (USH04) => because the
profile might have been removed before the "current" detective control is
performed. For that (profiles or roles) there is a standard report called RSUSR100
to read the change documents.
Once identified, the available profiles of SAP_ALL and equivalents can be
automatically sent to you if you can get the system to create a job on an
hourly basis which submits report RSUSR100 for a "from -> to" period (like
from '31.12.9999' to 'sy-datum minus n days'). If it finds such a change document
or new existing entry in UST04, it fires an alert with details within the hour.
There are several different ways of doing this with very low effort, and in all
existent clients.... also without making the job visible in SM37, with a bit more
effort.
This would however be unlikely to detect that which you are refering to: What if
SAP_ALL is copied or the authorization is manually imported into a role which
the user already has? For that you would need to go looking in UST10 (the
assignment of authorizations to profiles) or ideally USR10; or USH10 for the
change documents. If you find &_SAP_ALL or equivalent authorizations in the
change documents or they do not match the profile names... then fire the same
alert as before. I cannot remember how this was done done (which report etc)
and do not have access to the system anymore.
That would however not pass all requirements for automated detective controls,
because someone may have changed the authorization values of those auths
which are already assigned via profiles which the user has... For that you would
need to go prying in USH12 to see whether anything changed. For the current
authorization, looking in UST12 is easier to understand than USR12; but they
should be the same. Note that this access would be instant so there is no
necessity (nor sense) in searching for change documents relating to the user,
only change documents for object <-> field <-> values which you know to be
equivalent to SAP_ALL.
Another approach is to use the SAP standard rules in tables USK* (search SAP
notes on it, and the report RSUSR008_009_NEW) to define critical authorizations
which cannot be assigned, or critical authorizations which cannot be combined
together. I have seen one solution which used it to prevent the assignment of the
authorizations from tcode SU01 etc. I also suspect that it is (more...) sustainable
and less maintenance work in the long run, than programming an own report or
buying an external tool (someone else's own report).
Cheers,
Julius

Similar Messages

  • List of users with authorised reports and tables.

    hi all
    i have another requirement, that is List of users with authorised reports and tables in SAP.
    that means user wise which reports and tables have authorisations to execute.  for that what is the tcode or table name?.  please help me in this..
    Thank you.

    Hi,
    In SUIM tcode expand transactions node der ull have for users..........
    Cheers,
    jose.

  • Missing SAP_ALL & SAP_NEW

    Hello,
    Newly installed SAP ECC 6.0,on a UNIX/ORACLE. The SAP_ALL&SAP_NEW profiles are missing, any suggestion?
    Thanks

    Hi Khalifa,
    I guess you are tring to assign SAP_ALL to some user just after fresh installation and you are getting this error. It happens sometimes.I guess you may not have done SGEN.
    To be sure that SAP_ALL exists  go to Su02 input SAP_ALL and press enter. if you get an output then you can be assured  SAP_ALL  exists which in any case it will.
    Now the solution of the issue.
    To solve this try this thing out. Go to transaction SU21 and use regenerate SAP_ALL option.
    You can also execute the report AGR_REGENERATE_SAP_ALL for this. Check OSS note 82390 before doing it. 
    Please award points if issue got solved.
    Regards.
    Ruchit.

  • Obsolete / Out dated Transaction Codes list in SAP HR / HCM Module

    Hi Experts,
    Please let me know the Obsolete / Out dated Transaction Codes list in SAP HR / HCM Module.
    Thanks in advance.
    Samanvita.

    Hi
    Thanks for your reply. I know the concept of Obsolete Positions.
    what I want is the list of Transaction Codes which are out dated / Obsolete due to release of new versions by SAP.
    Any Transaction Codes are out dated in SAP HR Module, or SAP came up with new Transaction Codes with (same + extra functionality), so that we can use the new Transaction Codes. 
    Example: SE16, SE16N
    Please let me know those Transaction Codes.
    Regards
    Samanvita

  • SAP_ALL & SAP_NEW profile

    Dear Freinds,
    What is difference betn SAP_ALL & SAP_NEW profile.
    is sap_new has all content of sap_all and new one or not.
    and also plz provide other standerd SAP profile.
    Thanks.
    sachin

    Hello Sachin,
    SAP_ALL:- Which is a composite profile, normally assigned to administrators.
    To assign all authorizations that exist in the SAP system to users, assign the profile SAP_ALL.(Normally all authorizations in the above sentence means,for SAP standard objects).
    SAP_NEW: - Composite profile to bridge the differences in releases in the case of new or changed authorization checks for existing functions, so that your users can continue to work as normal. This composite profile contains very extensive authorizations, as, for example, organizational levels are assigned with the full authorization asterisk (*).
    Let me say wat are the few things that i know which SAP_NEW authorzation object dont have the authorization to
    1. Create a user ,Changer a user's record
    2. Cant create a role and cant generate a profile.
    Let me say wat are the few things tat SAP_NEW authorization object have,
    like access to newly created customized objects
    If u have any more queries regarding the difference between these two, refer this link: -
    http://help.sap.com/saphelp_erp2005vp/helpdata/en/52/6711b8439b11d1896f0000e8322d00/frameset.htm
    Regards,
    Kanthi. D

  • SAP_ALL & SAP_NEW profiles not available in new client after client copy

    I am setting up a BI Client and have been following some documentation to do this downloaded from SDN. In the process, i created my client 'client 200' assigned to a logical system then doing client copy from 'client 000' using transaction SCCL. There is a step when i now have to create a user in the new client (client 200 ) where i am supposed to assign the user to profiles SAP_ALL and SAP_NEW. Unfortunately these are not available in my newly set client but in 'client 000' they are available.
    Did i make some error in the client copy process or i still need to do something to have the profiles in 'client 200'. Please assist.

    There is no issue in rerunning the Client Copy.
    But please check what mistake you made in the first one.
    Here are the steps.
    Create an entry in SCC4.
    RZ10 modify parameter login/no_automatic_user_sapstar=0
    Check that you have enouf background and dialog processes.
    Restart the sap system
    then login with SAP* in the Client you made.
    Run Sccl and give the Profile SAP_All
    Select the source Client as 000
    and Source Client user Master as 001
    Check tthat you dont select the check box of TEST MODE.
    and schedule in backgreond.
    Thanks Rishi Abrol

  • Question: No transaction type listed during creation new transaction

    Per below screen, when I try to create a new transaction via CRMD_ORDER, but it seems blank on the type list..
    Any advice what is the issue about, thanks.

    Hi Peter ,
    The new transaction type should be created first via spro settings and the same can be added in CRMD_ORDER transaction via navigating to settings and " Specfic" tab maintaining the newly created transaction type .Once done the button is available for the newly added transaction type and the transaction can now be created .
    Also make sure in the customising while defining the transaction type it should not be set to inactive (falg should not be marked ) along with this the channel  - "GUI  CRM Webclient UI "should be mainatined for the transaction type in customising so that the same is availble in CRMD_ORDER .
    Hope this will help .
    Regards
    Shweta

  • Transaction Type List

    Hi
    Please advise if there a list with all the transactions types and their desciptions.
    For example
    Transaction Type 20 is a Goods Receipt PO
    Transaction Type 18 is A/P Invoice
    The above info is obtain from the query generator and I could check the transactions type by also selecting Journal memo , which indicates the corresponding Transaction type.
    However, I require all the list and not just the info on my system

    Hi,
    I am not sure of the link you are using to find notes. If you are a partner you can got to Solutions-> SAP Business One -> Support -> SAP Business One notes and here use the key words transaction type. It will be the 9th note on the list. Note 902807. Also when creating a message for SAP you can find the note search area.
    In the link provided in the above thread it a generic SAP note search not limited to Business One.
    Regards,
    Paul

  • Control transactions that are displayed based on authorisation

    Hi! We want to control the SCs, POs, contracts and during sourcing the type of transactions the users can see when running reports (such as monitoring report) or processing POs and contracts and carrying out sourcing based on the organisation they being to (such as company code). Is it possible to do that via authorisation? Else I will have to look at BADIs to do that.
    Cheers!
    SF

    Hi there,
    The BAdI you would use would be BBP_AUTHORITY_CHECK
    Please see the following link where documentation on authorization objects is located.
    Documentation to authorization objects:           
    Link: [http://help.sap.com/saphelp_srm40/helpdata/de/8e/ 
    1f7a40cf6bcd62e10000000a155106/frameset.htm]
    Hope this helps,
    Kind Regards,
    Matthew

  • Ksb2 transaction ( Display commitment item for CC )authorisation issue

    In my project some of the user are facing problem to display for the T code KSb2 ( Commitment Item report for cost center ).
    Mesage : No authorisation to display valuation view 1 for controlling Area .
    User has in her authorisation profile to display valuation view 0 ie legal valuation .
    In KSB1 transaction one option comes in Extras -> Actual valuation where the user can select 0 or 1 .
    But in Ksb2 this option is greyed out .
    So system is reading valuation view 1 & I am not able to understand from which settings ?
    Need help on this .Do we mention any where in the variant relating to Valuation View ?
    Thanks

    Hi,
    I think try to check with your Basis person. Do /nSU53 in KSB2 to see if any authorisation issue is involved.
    Regards
    Divraj

  • How can I find transactions using list of field names

    Hi,
    I do have some field names . I wanted to know how can I find the list of transactions that uses those fields in SAP?
    Regards,
    Aman

    Aman,
    It will be hard work, take the where-used list from SE11 for program, function groups and etc.
    Take the object name and go to SE80 and check in the tree if it has any transaction assigned.
    regards,
    Alexandre
    It

  • Restrict Authorization in SAP_ALL & SAP_NEW for SCC4 T-CODE only display

    hi,
    I want  to restrict 'Change' mode for SCC4 T-CODE to devuser having complete authorization with profiles SAP_ALL and SAP_NEW. Only 'Display' should be allowed for SCC4. For devuser no roles are assigned.
    For Other Users Roles are assigned with restriction in Authorization at "Basis: Administration-> Table Maintenance (via standard tools such as SM30)> Activity" for authorization object S_TABU_DIS only 'Display' is allowed.
    Abhijit.

    Jurjen Heeck wrote:>
    >... something else to make a part of SAP_ALL not work?
    2 ideas:
    - If the regeneration of SAP_ALL could check that the user running it does not have any SAP_ALL authorizations? Meaning, they would need to know exactly which non-SAP role authorizations (their technical names) have that authority in it. Many folks who only work with SAP_ALL don't know how to do that
    - If there were some way to isolate the program parts which are required to change SCC4 such that they can only be run with root priveleges, then you do not need to give your SAP system (with SAP_ALL) root access...?
    Disclaimer: Just ideas! Complete overkill!!
    => Does restricting the user's access sound like a much easier idea now?
    Cheers,
    Julius

  • Transaction Codes List

    Hey All,
    Where can I get the ENTIRE list of Transaction Codes and Standard Programs along with their explanations?
    Regards,
    Madhur

    Hey Anand,
    I am a Technical (ABAP) Consultant and am specially interested in all T-codes & Std. Programs related to abap workbench and other development tools.
    Additionally, I would also like to get the list for functional activities related to the most common modules viz. PP, MM, SD, FI/CO, PM, etc.
    I know that I can perform much of the functions using SPRO and SAP Easy Access, yet a detailed list would be extremely helpful.
    Thanks & regards,
    Madhur

  • Need to Download FAGLL03 transaction output list to XML

    Hi Experts,
    I want to download FAGLL03 transaction output to an XML file, but there is no such button to download the data.
    Is there any way to add button in application toolbar and to code corresponding download code in an enhancement.
    If is there any alternative, could you please let me know.
    Thank and regards,
    Srinivas.

    Hi Srini,
    Syntax for calling simple transformations are different... Like to call a Simple Trans..
    Syntax
    CALL TRANSFORMATION {trans|(name)}
                        [PARAMETERS {p1 = e1 p2 = e2 ...}|(ptab)]
                        [OBJECTS    {o1 = e1 o2 = e2 ...}|(otab)]
                        [transformation_options]
                        SOURCE {XML sxml}
                             | {{bn1 = e1 bn2 = e2 ...}|(stab)}
                        RESULT {XML rxml}
                             | {{bn1 = f1 bn2 = f2 ...}|(rtab)}.
    Regards

  • Specify G/L Accounts per Excise Transaction - details list

    HI,
    In CIN, Specify G/L Accounts per Excise Transaction, can anyone has the brief detial abt the G/l assignemnt column.
    Since it's confusing.. i.e i want to know where (column) to assign the G/L numbers for BED, ECESS, SECSS.. ETC..
    Pls give in detail...

    hi
    In this IMG activity, you specify which excise accounts (for excise duty
    and CENVAT) are to be posted to for the various transaction types. Enter
    all the accounts that are affected by each transaction type.
    If you use subtransaction types, enter the accounts for each
    subtransaction type as well.
    CHECK THE FOLLOWING DOC IN THIS PAGE 152ONWARDS
    http://help.sap.com/bestpractices/BBLibrary/html/J05_BB_Description_V2_EN_IN.htm
    REGRADS
    KUNAL
    AWARD IF USEFUL

Maybe you are looking for

  • Error in NWDS

    In developer studio, I am getting an error when building my java project that says "The project was not built since its classpath is incomplete. Cannot find the class file for com.sapportals.wcm.util.uri.RID. Fix the classpath then try rebuilding thi

  • All of a sudden my diplay appears to be larger than the screen. The display scrolls with the mouse. How to correct?

    My screen scrolls with the mouse to show the entire display. Looks like the display is larger than the monitor. Have no idea what teh cause ws but have been unable to correct. Any suggestions?

  • Image can't be found

    Hey, My college has just added 3 mac labs throughout our locations and I am having trouble finding the NetRestore image on other campuses. On my campus where our server is located I can find the image, but when I am on our other campuses (1 hour away

  • Eligibility Profiles: Derived Factors

    Hello We are trying to setup a benefits eligibility profile that uses a Length of Service derived factor. So we went and defined the derived factor before using it in the eligibility profile. On the Derived Factors form, we are using "Date of Hire" a

  • Failing while initializing static data

    hie all! i'm making a jar file using build.xml configuration. <target name="makejar"> <jar destfile="${lib.dir}/${jar.name}" basedir="${base}/bin/"> <manifest> <attribute name="Main-Class" value="${jar.main-class}"/> <attribute name="Class-Path" valu