Use of SM20

Similar Messages

• Function module to track User timing on a particular transaction

  hello,
  Could anyone help me with the Function module or table which stores the timings of when "user accesses particular transaction"
  My requirement is to create a User Activity Report displaying the user using the transaction with the timing
  i have check fm " SAPWL_WORKLOAD_GET_STATISTIC"
  user id / transaction / server / date / time
  Thanks
  Renu Gusain

  You can see transaction usage log for a particular user through transaction ST03 / ST03N
  ST03 -> Click on "This Application server" button -> Click on "Single stat. records" button -> feed the user name field, start and end dates for analysis and press enter
  If your SAP system has audit log activated you can use a more convenient way by using transaction SM20
  See, how the logic of these transactions work as they log the user name along with transaction access times

• User id getting locked everyday

  Dear All,
  User Id getting locked everyday having profile SAP_ALL and SAP_NEW.I m not getting any clue why its getting locked everyday.
  I tried to check RFC and  background job job also but i m not able to find.everyday i have to unlock it.
  Kindly suggest me how to check.
  Regards
  Adil

  Hi,
  Such issue mostly happens due to wrong attempt of login in SAP system client with that SAP User id either through RFC login, external- program, script,etc...
  If you have checked all the RFCs login settings and not able to found the login attempt, then  Enable [SAP Security audit log|http://help.sap.com/saphelp_nw04s/helpdata/en/c7/69bcb7f36611d3a6510000e835363f/content.htm] using SM19, SM20 and analyze the logs for that SAP User id only.
  Regards,
  Bhavik G. Shroff

• CCMS and Security Audit log

  I have seen a huge number of companies who do not use SM19/SM20 or RZ20. It is not configured. example I worked for 3 clients(user base 14000, 16000,1000) and none of them have this configuration.
  Do you know why is it so if it is not configured at your place.
  Thanks
  Edited by: Pankaj Jain on Sep 26, 2009 7:02 PM

  Performance impact is dependent on the Hardware sizing and the daily monitoring activities together with the back up schedule by the BASIS team.
  My experience is: I have seen maximum of clients using this for logging activities of ALL users in the system. In other few cases, it is restricted to Super and Special users.
  Please go through the document: [Security Audit Log|http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/2088d9d4-e011-2a10-bba9-90548dbc2d6a&overridelayout=true] (it's a bit Old)
  Try searching Community with SM20 / SM19 / Security Audit Log search strings.
  Regards,
  Dipanjan

• Failed user login attempts

  hi can u say  in which failed user login attempts will be stored.

  Hi,
  Configure the SAP audit system with TC SM19.
  Then use TC SM20 to see failed logins (and much more)
  cheers
    Jan

• Tracking a logon id

  The requirement is to track an id BATCHBW in BW system. Whenever a user logins with that id , an email has to be sent to two particular persons. I know that there is an user exit 'SUSR001' . It has been implemented in R/3. I have to do the same thing in BW . I appreciate if anyone can help me how to proceed with this.

  i have written the code in the include program . I am not understanding how the user exit will be triggered . The code is something like this.
  Tables:  zhmssecurity.
  data: begin of email_data.
          include structure sodocchgi1.
  data: end of email_data.
  data: begin of email_send occurs 10.
          include structure somlreci1.
  data: end of email_send.
  data: begin of data_tab occurs 2,
        line(255),
  end of data_tab.
  data: begin of object_para occurs 2.
          include structure soparai1.
  data: end of object_para.
  data: begin of object_parb occurs 2.
          include structure soparbi1.
  data: end of object_parb.
  DATA: OPCODE TYPE X VALUE 2.
  DATA: BEGIN OF USR_TABL OCCURS 10.
          INCLUDE STRUCTURE UINFO.
  DATA: END OF USR_TABL.
  select single * from zhmssecurity
  where data_key = 'W'
     and data_id  = 'WATCHFOR'
     and data     = sy-uname.
  if sy-subrc <> 0.
    exit.
  endif.
  select * from zhmssecurity
  where data_key = 'W'
     and data_id  = 'EMAIL'.
    email_send-receiver = zhmssecurity-data.
    email_send-rec_type = 'U'.
    email_send-express  = 'X'.
    append email_send.
  endselect.
  email_data-obj_name = 'MESSAGE'.
  concatenate sy-uname 'Logged on to' sy-sysid
             'on' sy-datum 'at' sy-uzeit
  into email_data-obj_descr separated by space.
  email_data-obj_langu = 'E'.
  email_data-sensitivty = 'P'.
  email_data-obj_prio =  '1'.
  email_data-no_change = 'X'.
  email_data-priority = '1'.
  clear data_tab.    refresh data_tab.
  clear object_para. refresh object_para.
  concatenate
             sy-uname 'Logged on to' sy-sysid
             'client' sy-mandt
    into data_tab-line
    separated by space.  append data_tab.
  concatenate
             'on' sy-datum 'at' sy-uzeit
             'from terminal' usr_tabl-term
    into data_tab-line
    separated by space.  append data_tab.
  Move space to data_tab-line.  append data_tab.
  move ' Use transaction SM20 to monitor this users activity'
    to data_tab-line.  append data_tab.
  CALL FUNCTION 'SO_NEW_DOCUMENT_SEND_API1'
    EXPORTING
      document_data                    = email_data
      DOCUMENT_TYPE                    = 'RAW'
      PUT_IN_OUTBOX                    = ' '
    tables
      OBJECT_CONTENT                   = data_tab
       receivers                        = email_send.
  IF sy-subrc EQ 0.
      SUBMIT rsconn01 WITH mode = 'INT' AND RETURN.
  I have given the values in the zhmssecurity table . I have given my id for watch for and email as my email . I tested the same thing by copying in some other program. Its working fine but how this user exit gets triggered

• Webview ID getting locked

  Hi,
  Except Domain ID and password , all other webview ID and password are frequently getting locked ( showing invalid ID and password). Please let me know whether someone have faced similar issue.
  Thanks
  Krishna

  Hi,
  Such issue mostly happens due to wrong attempt of login in SAP system client with that SAP User id either through RFC login, external- program, script,etc...
  If you have checked all the RFCs login settings and not able to found the login attempt, then  Enable [SAP Security audit log|http://help.sap.com/saphelp_nw04s/helpdata/en/c7/69bcb7f36611d3a6510000e835363f/content.htm] using SM19, SM20 and analyze the logs for that SAP User id only.
  Regards,
  Bhavik G. Shroff

• How to track activity for users logged in using solman to target systems?

  If a person accesses a monitored system through solman, how can we track the user activity (including transactions viewed and changes made etc)?
  Thanks
  Prasad

  Hi Prasad,
  Please refer the following similar threads to get more detailed Information:
  STAD parameter
  STAD Historical Data - How Long?
  STAD -  data for last  30 days
  Also check this useful Blog about STAD(/people/andreas.vogel/blog/2007/01/12/statistical-records-part-1-inside-stad) and SAP Note 139418 - Logging user actions.
  You can also configure and activate the Security Audit Log (SM19) and then analyze its entries through SM20. You can configure exactly what needs to be tracked...
  Useful transactions:
  SM19 (config)
  SM20 (analyze) (SM20N , depending on release)
  SM18 (delete old logs)
  Other SAP Note which is helpful in this case 539404 - FAQ: Answers to questions about the Security Audit Log
  Hope this helps.
  Regards,
  Shyam.

• Need a Tool to Display When a Program Was Last Used

  Is there an SAP tool that tells when a program was last ran? I need to terminate some custom programs but unsure of which programs are not being used. Is there anything in SAP that I can use to tell me when a program was last used i.e., 6 months ago, 1 year or 2 years ago or perhaps more?
  Thanks in advance and Happy New Year!

  Hi Beth,
  Information like this is as good as the logging configured in your system. If your basis team is good at keeping logs for a long time, then you should be able to get this information using SM20 transaction.
  If they didn't keep the logs(since they are voluminous, they periodically delete them), then you have no trace of them). Work with your basis team, they may know more transactions.
  Another option is to pick the programs that you think are obsolete, remove access to execute them from all the users and if no one comes back, you may delete it. But this means you may even have to wait for one year, as there may reports that are run only on year-end.
  There is no straight forward way of knowing this information unless you have the basis help.
  Please let me know if it helped.
  Regards,
  Srinivas

• SM20/SM20N audit report analysis - in background

  Hi,
  I would like to create an audit log / audit report analysis in background.
  I've found an article bu interested to understand if it is the only way to do that ?
  article: http://sap.ittoolbox.com/groups/technical-functional/sap-security/security-audit-reports-using-sm20-1019745?cv=expanded
  Any idea ?
  Dimitry Haritonov

  i have not tried it but yes thats what mentioned in the Note 838847
  Instructions for Releases 4.6C and 6.20
  Creating the RSAU_SELECT_EVENTS program:
  Title: "Selection of audit events from the audit files (background variant)"
  Type: Executable program
  Application: Basis
  Package: SECU
  Logical database:
  See the correction instructions for the source code.
  if your question is answered , mark it answered and award the points ..
  Regards
  dEE

• SM20 Reports

  Geetings,
  We run the SM20 audit log reports each month for DDIC activity when its associated with a terminal name. I understand best practice says to lock DDIC but because it is used for so many automated jobs the Basis group has not had the time to evaluate and simply pulling the plug could have downstream implications that they are affraid of. But I digress.
  We run this report for all audit classes/events and all security levels. In the output I get hundreds if not thousands of audit log messages related to the RFC call audit class within the "Severe and Critical" security level:
  RFC call Successful RFC Call BDL_DDIF_TABL_GET (Function Group = BDL5)
  RFC call Successful RFC Call SALC_UTIL_MT_GET_TREE_LOCAL (Function Group = SALC)
  RFC call Successful RFC Call /SDF/EWA_GET_PARAMETER (Function Group = /SDF/EWA)
  RFC Call RFC_PING (Function Group = SRFC)
  What are the security implications of these types of events? What is so Severe and Critical about these actions? I am trying to filter out as many meaningless or low security events to make the output somewhat reasonable otherwise I have thousands of records to sift through. How accurate is SAP in the assessment of these security levels? Are they being too conservative?
  I appreciate whatever guidance you can offer related to this.
  Thanks
  Mark

  Julius,
  I bow in deference to your knowledge of this area. It’s extremely helpful to
  get a thorough understanding on the nuances surrounding DDIC and SM20.
  Some background on me. I am an IT auditor and I inherited this process.
  Apparently way before I started here (4 years ago) this discussion must have come up
  as a result of SOX testing and the Basis group must have successfully defended
  against locking DDIC for the very same reasons you note. The IT Audit Director at the
  time understood the situation but PWC wanted some assurances that this activity
  was at least being reviewed and it became one of the ITGC’s to run the SM20 log
  report each month in each instance and have the Basis group review and sign off on all activity
  related to DDIC. If the SM20 output showed that DDIC signed in with reference to
  a terminal name or ip address they needed to explain why this was necessary.
  They were always able to explain the reasons behind this and the occurrences
  seemed minimal considering all the events logged related to that ID. Up until a
  few months ago I ran for all audit classes excluding user master changes with
  events of Severe and Critical.
  Fast forward to 2015 and PWC runs an independent SM20 report from our system
  and ran it for all audit classes and events = All. As you can imagine even for
  one month worth of activity the number of records was astronomical compared to
  running it the way I did. That was when I started taking a closer look at the
  log message text and the security levels associated. It didn’t make sense which
  brought me here.
  I will take you up on your offer to post a blog or wiki on the minimum
  authorizations required by user DDIC so that I can confirm we are truly looking
  at high risk events and filter out some of the noise to make this report
  readable and more accurate. It appears that we probably won’t be able to lock
  the ID and for valid reasons.
  PS
  Is there an OSS note or other governing document that refutes the security
  best practice of locking DDIC in production? Every SAP system security related manual
  I have read recommends locking this ID in production right after go live as if it’s one of those check the box and be done with it. It really is misleading to do this as you suggest as it could have
  greater implications that impact the business. Can I just tell the external auditors that you said it was ok?
  Thank you very much for your time.
  Regards,
  Mark

• SM20 logs for multiple users in one go.

  I have to extract log for more than 100 users by using SM20 log.
  I tried with wild card characters, it is not giving accurate user list.
  Is there a way to paste 100 users at one time in SM20 tcode to pull the all users audit log instead of getting each user.

  Good...
  It shows the all users log report for current application server,but not all apps. server.
  I have 7 application server but it shows the currenty apps server logson details.
  Is it possible to get all application server logs details for all users in one go.

• SM20 report shows empty result

  Hi All,
  Issue in Audit sm20:
  one of the account with special privileges which was set open for doing changes directly in production for a limited time.
  When i tried to run an SM20 report to list the actions I did but I get an empty result.Where as able to get other information except that particular user.
  Findings:
  1.Able to identify transaction used in st03 for that user.
  2, logs were returned on that particular date.
  3.cheked in sm19 all activities were active.
  4.all related parameters were set accordingly.
  PLease help me out in finding out the result and to solve the issue

  > When i tried to run an SM20 report to list the actions I did but I get an empty result.Where as able to get other information except that particular user.
  >
  --> I believe you were able to view other users' activities during the same time, but specifically not for one user ?
  In case there are many instances in your SAP system, could you check for all instances individually from SM20 ?
  Also Security Audit logs cease to write when the audit log max size is achieved / quota for the day is done. Even this is instance specific and hence you need to verify this for the instance to which user logged on.
  There are also occurances of Audit logs not being written owing to product error. Could you go through the following SAP Notes , in case the SAP release mentioned in the notes match with that of yours ?
  SAP Note 763159 - Security Audit Log: some transaction starts not audited
  SAP Note 710138 - Security Audit Log: Transactions are not recorded (3)
  SAP Note 317883 - SecAudit: Transactions are not recorded
  SAP Note 483953 - Security Audit Log: AU9 and AUA events are not recorded
  SAP Note 840798 - SecAudit: Transaction code sometimes missing
  cheers !
  PRADi

• SM20 : IP/DNS address Terminal column

  Hi,
       English not my main language sorry in advance.
       I've set a Security Audit Log (SM19/SM20 and mofided my instance profile -> rsau/enable, rsau/local/file, rsau/max_diskspace/local, rsau/selection_slots)
       All working well but when i check logs (sm20) the 'Terminal' of the user logged in/off with the SAPGUI from a windows workstation is the NETBIOS name (%COMPUTERNAME%) of his workstation instead of the IP/DNS address (on linux it's the local hostname - on redhat /etc/sysconfig/network) .Of course i don't have this problem when using web client.
       So here my question : Is it possible on SAP to log IP/DNS address instead of NETBIOS name/hostname of a client using SAPGUI when using audit strategy ? If yes, what do i have to modify and where (client or server side)
       We use : SAPGUI 7.10 (Windows version) and ECC6 server kernel 7.0
       Thx in advance for the help

  Thx for the tips.
  SM04 and/or Table USR41 works great but only if user is connected. I don't have history.
  I must be able to log login/ip address (and it seems not possible with audit log)
  The only way i've found googling is to activate user exit in function EXIT_SAPLSUSF_001(module TH_USER_INFO and/or TERMINAL_ID_GET) to populate specific table
  As i'm not an expert on SAP, i've understood it's something i have to code on ABAP but can't really know how to and where to do it.
  If someone have already made it or can help making it ...
  Best regards

• Auditing a transaction used by user

  hello, i have a question concerned to how i can know what transactions were used or executed by a user in a date, or for example the previous month, this is in a was or a R/3 environment.
  thanks Robinson

  Check trxn ST03 or ST03N (depending on release).  This is standard SAP functionality.  It is the performance monitor but can tell you what trxns were executed for a time period and by whom.  Of course it does not state what was done with the trxn simply what trxns and programs were run.
  If additional information regarding trxns and users is required.  Trxns SM19 and SM20 can be used of course if it is actived.
  See OSS note # 139418 - Logging user actions, as a start.  The reference to trxn STAT is similiar to ST03 however STAT only contains the current records.  This has to do with prgm RSCOLL00 running periodically and taking the records in STAT and applying them to the database where they show up in ST03, which is off the subject a bit.