User Audit and Security log

Hello Experts,
We are using an ECC 6.0 systems. My question is apart form SM19 is there any other t_code to trace the user action that is a more detail trace on user action.
As you know SM19 settings will offer us the basic action of user that is what t_code or reports are being used by user. But I want to know what are they doing there that is they are trying to access some infortype in t_code like PA30 or they made in table definition change in SE16 like that.
Please let me know about this.
Thanks in advance.
Regards,
Partha

Hi Partha,
You can use the following TCodes also.
1. STAD
2. STAT
STAD and STAT can also be navigated from ST03N. If you want to log a particular TCode (for e.g. PA30), then please follow the below steps:
Go to ST03N -> Expert user mode -> Collector & Performance DB -> Workload collector -> Parameters.
Enter the transaction codes for the transactions to be analyzed in detail in the Create transaction detail profiles for group box. Save your changes. (please read the message carefully in this screen).
3. STATTRACE
4. SM21
If you are in SM21, then please select all the options in "Settings" radio button. After getting the display of Log screen, you can further analyze a message in more details by double clicking it.
Still SM20 is really a good choice to view user actions.
Please re-check (in SM19) that all the Audit Classes are selected for the current filter you are analyzing. Before reading the audit log make sure to include all Instances (telling this, just to be sure).
Mark all in "Events" and "Statistic" tabs. Now display the data selecting the particular user and tcode.
Hope this discussion may help you to some extent. Please let me know for any more query.
Regards,
Dipanjan

Similar Messages

System and security logs

1. Login, Clear Logs and log off events in Windows 2003 when does this happen and what are the IDs for
these events ? what is the system login?
2. In an event when administrator account and password are shared by more than one person, is it is possible
to prove who cleared the security logs?
3. If there is no keyboard monitoring is there a way to prove from which PC the delete came from?
4. Can a schedule a task be run in advance to delete the security logs at a later point of time in Window
2003 using utilities like WMI, powershell etc?
5. In Windows 2003 servers, Microsoft allows 2 remote connections and 1 console session also called session
0. What is session 0 ans when is this launched?
6. Can security and the system logs on the server be deleted remotely from any other server in
windows 2003 if the account has admin rights? Please comment if firewall setting needs to be enabled in window 2003.
dhomya

1.) If you enable auditing here are the events
https://technet.microsoft.com/en-us/library/cc787567%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
2.) Probably not unless you know who was at what console at what time.
3/4.)
http://blogs.msdn.com/b/ericfitz/archive/2007/08/10/help-someone-has-deleted-events-from-my-windows-event-log.aspx
5.) http://support.microsoft.com/kb/278845
6.) See 3/4
Regards, Dave Patrick ....
Microsoft Certified Professional
Microsoft MVP [Windows]
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Network user permissions and security

We seem to have a permissions issue using the DIR
command.
We have a process that runs in SQL Server which executes a DIR command on the local network using a UNC path to check that the files generated by another system are all there, as part of an audit report.
Until this morning all was fine and dandy, we had no issues.
Last night the IT guys tightened up some permissions on the target directories for security.
Now a dir \\server\shared\dir_name fails with an
Access is denied error.
We can run this command against the local drive or alternate network UNC paths with
no problems.
We have the same issue whether we run from within SQL Server using xp_cmdShell or from the Command Prompt (after logging in to the server with the SQL Server account).
When logged into the server with the account in question, it is possible to browse the network, so Explorer permissions are ok
So it is not related to the SQL Server, nor is it related to the SQL Server Agent account.
It is specific to the rights of one network directory.
Thing is the sql server agent account is part of a domain group that DOES have Dir permissions on the target network directory.
We also can no longer use Dir against that network share from our own accounts, even though we are in a domain group that has Full Permissions on the directory!
So what is going on here - is it possible that somehow the Dir command has been blocked on that one directory share for just the SQL Server agent user?

I was a bit puzzled ab about the proper location to ask this question, but I think this forum would be the best location to ask:
https://social.msdn.microsoft.com/Forums/sqlserver/en-US/home?forum=sqlkjmanageability
Kind regards,
Margriet Bruggeman
Lois & Clark IT Services
web site: http://www.loisandclark.eu
blog: http://www.sharepointdragons.com

User audit enabled - Only log off

Hai all,
10.2.0.5 on solaris 10
I enabled audit for a user as below
audit username by access;
When I query dba_audi_trail, I can see only actions (LOG_OFF) stored in the action_name column of dba_audit_trail.
Any idea

Are you talking about " audit session by username by access" ?? the statement you mentioned doesnt exist, and if you mean what i mentioned, try logging in with the username after you logout , you should see logon value in action_name column and action value should be 100, assuming its was also in 10g because i work on 11g. Also you should see logoff_time when you logout but null value when you login.
Regards
Karan

Creating a new user account and curious log in behavior...

First off I'd just like to apologize if that is not the correct place to be posting this, but after looking around I don't see a perfect fit for this topic anywhere, so I figured here should be okay. Also I want to apologize if this turns out to be a rather lengthy post, I just want to ensure that I supply all info...
Okay, so about a month ago I recognized that my current user account is slowly but surely taking longer and longer to "boot up" after I put in my password and tell it to log in. What usually happens is that I click log in, the background image and taskbar almost immediately pop up but nothing else (finder icons, dock, and the multiple icons in the taskbar which include the airport signal, user name, bluetooth status, battery strength, volume, and my iChat and Adium status) the only things to immediately "activate" in the taskbar are the clock and spotlight.
As of late when I log in something especially strange is happening in that after the 5 or so minutes it takes the dock, rest of taskbar, and finder icons to appear my PB will play the default Apple sound of me emptying trash, rather there is anything actually in the trash or not. It dosen't delete the objects in the trash (if any, as I usually keep it empty), just simply plays the sound. I'm not sure if it playing this sound ties in any with the lagging log in times, I just wanted to mention it as the log in times have slowed down considerably since this sound started.
Bottom line given that there is no way that I know of fixing this problem, I am planning to simply create a new user account. Actually I have already created the new account (by the way, it logs in literally instantaneously, and does not make the strange trash being emptied sound) but was looking for info on how to get all of my files from one account to the other. Unfortunately for me everytime that I install a program and the dialog box pops up asking if you want to install it on all user accounts or just the current one I always click "just the current one" (please don't ask why, as there is seriously no reasoning to this at all...), so is there a way to transfer my current programs from one user account to the other without reinstalling??? It's actually not that many programs I'm talking about here (Shapeshifter, Xounds, XFactor, AIM, Adium, Cocktail, Toast, Popcorn, iPod Rip, and Office), I just figured that if I can simply transfer rather than reinstalling them, it would be a lot easier.
However my 2 primary concerns are my iTunes and iPhoto libraries (3330 songs and 4182 pcitures respectively), considering that I've spent literally hours making countless playlist in iTunes, and countless folders, slideshows, and books in iPhoto, if I was to lose all this it would truly be a mess.
I know I'm probably making a big deal out of this and it's an extremely easy and basic process, please just pardon this still pretty new Mac user and help me out:) Also if anybody else has experienced the log in slow down or strange trash being emptied sound I would be glad to hear your experiences.
Thanks in advance!!!
Mervyn

Hi Mervin,
Bottom line given that there is no way that I know of fixing this problem, I am planning to simply create a new user account.
You can do that (but I wouldn't) this KB article outlines how:
http://docs.info.apple.com/article.html?artnum=155373
Basically you will copy the folders within your old home to replace the folders in the new home. Here is a list of specific folders if you decide to do that but a better solution would be to sort your existing user.
Here where your important data is stored ("~" stands for "Home"):
Your Data in Documents
~/Library/Application Support/AddressBook (copy the whole folder)
~/Library/Application Support/iCal(copy the whole folder)
Also in ~ / Library/ Application Support (copy whatever else you need)
~ /Library/Keychains (copy the whole folder)
~/Library/Mail (copy the whole folder)
~/Library/Preferences/com.apple.mail.plist * This is a very important file which contains all email account settings and general mail preferences.
~ / Library/iTunes (copy the whole folder)
~ / Library/Safari (copy the whole folder)
~ / Library/iMovie (copy the whole folder)
~/ Pictures/iPhoto Library
If you want cookies:
~/Library/Cookies/Cookies.plist
~/Library/Application Support/WebFoundation/HTTPCookies.plist
so is there a way to transfer my current programs from one user account to the other without reinstalling???
As for applications, they should all be in your Application folder(there is only one) and available to ALL users, unless you have put "limitations" or "parental controls" on the account.
Now to the best course of action:
To find the issue affecting your existing user account, follow these steps:
Log back into your normal user account:
1. Navigate to ~(yourhome/library/fonts - drag this folder to the desktop.
      Restart and test your applications.
      If they work start adding the fonts back few at a time.
( Likely suspects are Time RO & Helvetica Fractions, also if you do not use Classic you can trash the classic fonts.)
2. Check Preferences Thoroughly;
      Navigate to ~(yourhome/library/preferences drag this folder to the desktop.
      Restart and test your applications.
      If this works, save the old preferences folder somewhere else or on disk, name it "old prefs" .
** Note: A very important file is the "com.apple.Mail.plist" preference file located in the Preferences folder which contains all email account settings and general mail preferences (hold this one and replace if your problem is not with Mail).
You'll have to go through some of your System Preferences and apps to set the preferences back to how you like them. (Or if you have the time and inclination, "cherry pick" through until you find the problem one or two.)
3. Check Permissions Inside Home Folder
   Navigate to yourhome/library.
   Get Info (Command - i) on folders for apps you are having problems with.
   Open the "Ownership & permissions" disclosure triangle.
   Make sure you are the owner, with "read and write" access.
Click on "apply to all"
   If this is correct, open the "Applications Support" folder and do the same      procedure (Command+I) for the folders with the names of the applications you are      having trouble with.
Note:
The reason to check this is because repairing permissions with Disk Utility doesn't touch permissions inside your home folder.
If the isssue persists navigate to ~/library/caches and drag this folder to the trash, then log out and back or restart. There is no need to replace this folder.
Good luck, let us know.

User Authorizations and security

Hi,
     I need to know that , is it required to give <b>SAP_ALL</b> to <b>functional consultants and ABAP developers user id</b> created , or there are some different set of roles to be created. where do I find these security best practices , so that I can implement them.
Regards
Puneet

Sathi,
Yes, you can in fact do this...it is a fairly involved process but once done it works very well.
Remove ALL authorization objects pertaining to BUKRS (in this particular example you only want to limit users to a company code) from your role. We'll call this first role ZT_role. You will have your transaction codes in here.
You will have a number of other authorization objects that you could do this same thing with. We are currently not only doing this with company code, but cost center/profit center, plant and several more. The process is the same. If you don't want to allow certain users access to a company code, plant...etc. pull the auth obj out of the transaction role.
Next, create a brand new role WITHOUT T-CODES in it and name it something like ZD_Locking_role (whatever you want to call it...but in a sense you are locking users down with this role).
In this 2nd role you will need to manually enter each Authorization Object that uses BUKRS from your 1st role and then add in the company code(s) you want to allow people to see (again...manually add those auth objects needed as mentioned above for cost center/plant etc.).
Now, you shoudl be able to assign the 1st AND 2nd role to a person. Now, they will will only be able to see the company codes you placed in the locking role.
If you only assign the 1st role, they will not be able to view/change by company codes. By adding the second role, the SAP system checks the auth object against their entire profile in their master record and should allow them work fine.
Good luck!
For those that care...
We not only do the above, we took it many steps further. We created derived roles broke those down to display only and create/change roles. In other words, the locking role would read something like Z_DISPLAY_XXX or Z_CRT_CHG_XXX (where XXX is the company).
User roles assigned to associate Joe Smith - As an AR Manager this person needs access to ALL AR function for creation/display and change but only allowed to display all AP documents and not change all within company code XXX:
    Transaction roles:
ZT_AP_DISPLAY role (AP needs to run XK03 or XK04...any and all t-codes are locked down to display only! [03 or 08...etc.])
ZT_AR_MANAGER role (AR Manager needs to display (only) AP stuff but not be able to change. They also need to be able to perform all other functions (create/change) as an AR Manager)
    Locking Roles:
ZD_DIS_BUK_XXX (XXX is company code) [display only]
ZD_CRT_CHG_BUK_XXX (XXX is company code) [create change]
With a thoroughly thought out system you can have a very sight system while being able to allow user the versatility to see only certain information.
Good luck!

PS script to disable users / Audit and remove Groups / Hide from GAL have bits but need to put it together

Hi All
I am trying to get a script together to run against a specific OU (our disabled Users OU) to make the process of leavers more automated.
I am trying to achieve the 4 main outcomes below
1. Disable User account
2. Hide from GAL
3. Export users group membership to a file based on SamAccountName
4. Remove users from all groups except domain users
I have some parts of this working from other peoples scripts i have found on the web but need to tie it all together which is proving to be beyond my basic scripting ability
Below is what i have so far, this does disable users / hide from GAL and remove groups however as stated i would really like it to export the group membership to a file before removing them so i have a record should a mistake be made.
$users= get-aduser -Filter {(Enabled -eq "True")} -SearchBase "ou=Disabled Accounts,dc=test2k8,dc=local"
Function RemoveMemberships
param([string]$SAMAccountName)
$user = Get-ADUser $SAMAccountName -properties memberof
$userGroups = $user.memberof
$userGroups | %{get-adgroup $_ | Remove-ADGroupMember -confirm:$false -member $SAMAccountName}
$userGroups = $null
$users | %{RemoveMemberships $_.SAMAccountName}
ForEach ($user in $users)
set-aduser -identity $user.sAMAccountName -Enabled $false -replace @{msExchHideFromAddressLists=$true}
exit
If there is anyone here that can help i would be very grateful
Many Thanks
Nick

Try this:
$Users = get-aduser -Filter {(Enabled -eq "True")} -SearchBase "ou=DisabledAccounts,dc=test2k8,dc=local"
Function Remove-GroupMembership
[CmdletBinding()]
param
[parameter(ValueFromPipeline=$true)]
$Identity
process
if ($Identity -is [string] -or !$Identity.memberof)
$Identity = Get-ADUser $Identity -properties memberof
Write-Verbose -message $Identity.samAccountname
foreach ($Group in $Identity.memberof)
Write-Verbose $Group
Remove-ADGroupMember $Group -confirm:$false -member $Identity
$Users | Remove-GroupMembership -verbose 4> c:\users\mmcnabb\desktop\groups.txt
forEach ($User in $Users)
set-aduser -identity $user.sAMAccountName -Enabled $false -replace @{msExchHideFromAddressLists=$true}
It uses the verbose stream to redirect the groups out to a text file of your choice. Please note this is untested so please use with caution.

Permissions fix for secure.log and iTunes frameworks

Aperture 1.5
PBG4 showed minor to considerable performance improvements. Once my main library finished running on the Quad, with 6600 traction engine, I started to do some real work.
The following is in Project View on some images with patches/healing and straighten applied.
IT WAS UGLY. SBOD every time I touched anything (yes, all previews completed). 45 secs to open the first image (8Mb RAW from Canon 20d). 5-6 secs. for any touch on Levels or Exposure. IMPOSSIBLE.
Switched off and reduced res. of JPG's in Preferences. No difference.
BTW Apple Devt. Spank time> There is NO way to turn off Preview creation and run as batch later that I can see. Please fix. Agreed they render in background but why not wait until you leave focus on that image .... it's recreating a preview after every adjustment I make. C'mon guys, get real, that should be fixed asap.
Quit Aperture, restarted. Just as bad. Aperture is the only app. running, and Activity Monitor shows 319% CPU with 480Mb RAM just with a Levels change ... sounds high. 6-7 sec. response time for anything I do and 20-40 secs for image rendering, except adjacent images. Quit Aperture.
Decided to run Repair Permissions (RAID = 0 drive). Fixed iTunes frameworks and secure.log. I believe secure.log to be the culprit.
Restarted Aperture and performance improvements obvious. Sliders now work real-time and image rendering a couple of seconds. Reapplied Preferences setting for Previews and no significant performance degradation (though it is interesting watching the task list pause the preview generation when you make further edits.)

It sounds like you should just turn off Maintain Previews for the project you are on (selct prj and change state in top level gear menu in prj pane) - then make your adjustments ( your previews won't be up to date then of course) but the when you are ready to make into previews just select all the images and choose Update Preview manually from the context menu.
LC, Classic, 8500, DP2.5, MBP2.1 Mac OS X (10.4.7) i have a cool mousepad

Issue in User Management and Permissions

Hi,
There is an issue found while working on user management and security. When an asset is uploaded to the DAM, even with create and modify permission it is not able to edit.
While analyzing, it was due to the following reasons.
When given “MODIFY” permission to the root folder, it is not applying to all the asset in that folder and sub-folders.
We have to provide “MODIFY” permission for each asset, in this case it won’t apply for newly added asset.
When given “DELETE” permission to the root folder, “MODIFY” permission is applying automatically to all the asset in that folder and sub-folders.
But “myRole” only should modify the asset but not delete.
Is it CQ functionality or an issue.?
Note: Using CQ5.5 version
Regards,
Fazz

In CQ5.4 "MODIFY" permission at folder level is enough for modifying the assets under that folder. But in CQ5.5 "MODIFY" permission is necessary for every asset for editing.
Regards,
Fazz

"logon time" between USR41 and security audit log

Dear colleagues,
I got a following question from customer for security audit reason.
> 'Logon date' and 'Logon time' values stored in table USR41 are exactly same as
> logon history of Security Audit Log(Tr-cd:SM20)?
Table:USR41 saves 'logon date' and 'logon time' when user logs on to SAP System from SAP GUI.
And the Security Audit Log(Tr-cd:SM20) can save user's logon history;
at the time when user logged on, the security audit log is recorded .
I tried to check SAP GUI logon program:SAPMSYST several ways, however,
I could not check it because the program is protected even for read access.
I want to know about specification of "logon time" between USR41 and security audit log,
or about how to look into the program:SAPMSYST and debug it.
Thank you.
Best Regards.

Hi,
If you configure Security Audit you can achieve your goals...
1-Audit the employees how access the screens, tables, data...etc
Answer : Option 1 & 3
2-Audit all changes by all users to the data
Answer : Option 1 & 3
3-Keep the data up to one month
Answer: No such settings, but you can define maximum log size.
4-Log retention period can be defined.
Answer: No !.. but you can define maximum log size.
SM19/SM20 Options:
1-Dialog logon
You can check how many users logged in and at what time
2-RFC login/call
Same as above you can check RFC logins
3-Transaction/report start
You can see which report or transaction are executed and at what time
(It will help you to analyise unauthorized data change. Transactions/report can give you an idea, what data has been changed. So you can see who changed the data)
4-User master change
(You can see user master changes log with this option)
5-System/Other events
(System error can be logged using this option)
Hope, it clear the things...
Regards.
Rajesh Narkhede

Audit log of the User access and permissions

Hi All,
We need to have the Audit trail of the user access and permission. Meaning Changes to user access rights will be logged.
This should include:
Current Access Rights (including Date the access was given),
Group membership (including Date the access was given),
Previous Access Rights (including Date the access was given and revoked).
Can we reuse any out of the box functionality of CQ. Does anybody having any pointer to this?
Thanks,
Debasis

Hi PChamoun,
At the outset thanks a lot for the clue. I am very new to CQ. Could you please guide me like, what are the API required to track the rep:policy node changes. Even if workflow will be started after any change to rep:policy but how I will be able to get the information of what change happened.
Thanks,
Debasis

How to monitor user logs,security logs,trace file,and performance monitori

Hi guys,
pls tel me how to monitor user logs,security logs,trace file,and performance monitoring.
thanks
regards
kamal

Hi,
you can have a look in the Netweaver administration :
http://<portal>:<port>/nwa
Go to monitoring, Java system reports, etc..., you will find what you want.
Fabien.

AUDIT action (create, delete, privilege escalation, set and change password from users account and group) users and admins in Solaris 10

Hello.
in Solaris 10 i need auditing process create, delete, privilege escalation, set and change password and etc... from users account and group.
I set settings:
in file syslog.conf:
*.info;mail.none;cron.none;audit.notice            @IP-Remote-syslog-server-SIEM
in file   /etc/security/audit_control:
dir:/var/audit
flags:lo,ad,ex,cc,am,no,fc,fd
minfree:20
naflags:lo
plugin:name=audit_syslog.so;p_flags=lo,ad,ex,cc,am,no
in file   /etc/security/audit_user:
root:lo,ad:no
Now I see in the logs only the fact of a connection via SSH and run processes on behalf of users. Creation. delete users, change passwords for some reason do not is logged.
Many users. For each individual write permissions in the file /etc/security/audit_user not possible, it is likely to forget any new user (or there is a possibility in this file one line to describe the audits for all accounts?)
Where is the mistake?

You are most likely hitting Bug 15779000 user/role/groupadd/mod/del don't audit their use.
And the fix is only available in S11.2.
-- Renaud

Using the Audit Provider to log ejb security events

I would like use the audit provider to log security events for ejbs that use container managed security. Specifically I want to record the name of the ejb being accessed, the method the user is accessing, the time of the event and the user name of the user who is accessing the ejb.So far I have created an ejb that has method-permissions defined in the ejb-xml file. I have a number of users with different levels of permissions and the security is working.I have also installed the example Audit class that is shipped with weblogic.I am getting Audit indo in the log file, but I do not get any ejb info being logged.Is it possible to use the Audit provider that weblogic provides to audit ejb security events? Do I need to do something special to make this work?Please help, I can not find any documentation about what the audit provider logs.

Actually I never tried to login into the provider, but I understand you just need the keys.
Try this code, it works for me (some pieces are missing, but this is the core)
        Provider provider=null;
     provider=new SunPKCS11(providerFile);   // providerFile is a String
     Security.addProvider(provider);
     KeyStore store=KeyStore.getInstance("PKCS11");
        char[] pin=pinAsString.toCharArray();
     store.load(null, pin);
        PrivateKey key=(PrivateKey)store.getKey(alias, null);
        Certificate[] chain=store.getCertificateChain(alias);
        .....Using this approach I managed to read all the information from the provider (aliases, certificates, ...). I'm not sure that's what you needed, but I hope it helped.

Log messages for 'auditing' are different in 'general' and'application log

Hi,
From UI, When I audit a file using a profile which comprises of user-defined 'rules/categories/analyzers', I will get log messages at ''File-name(Application) log window' and 'Messages' log window, which are located at bottom of Jdev UI page. One common message in both the log windows is
" <n1> violations, <n2> exceptions, <n3> documents, <n4> seconds>.
But here the 'n1,n2,...' numbers are dfferent in two windows though the log output is for a same file. In this the 'file-name' log shows the correct
Example:-
In 'file-name' log window ,it shows as:
3 documents, 8 violations, no exceptions
In messages window, it shows as
"Audit starting on EFC.jpr (Default)
Audit completed: no violations, no exceptions, 3 documents, 1 second"
If I use the 'pre-existed'(Jdev's) rules profile, I will get similar output in both log windows.
From this I concluded that there is something missing to register for a new 'rule/category/analyzer'.
Could you suggest me in this case. Do I forgot anything to do in any files of '<rule-implementation.java>', 'audit.properties', <add-in launcher>.java, extension.xml.
Actually, I want to use 'ojaudit' executable from command line to my project files. Here I observed that the output of the 'ojaudit' is similar to the above explained 'Message' log window in JDeveloper UI. But where the 'Message' log window output is not correct for user-defined rules.
Regards
Madhu

Romano,
In the upcoming production release (planned to be released next week), we added caching of authorized roles and permissions in JhsAuthorizationProxy class.
I suggest you wait for this relase, if the problem persists, it is most likely an ADF issue (as is the logging)
Steven Davelaar,
JHeadstart team.

User Audit and Security log

Similar Messages

Maybe you are looking for