background job failed because of authorization

We have a job which runs OK in foreground but when defined in background.
It failed and the log said it is an authorization problem. Unlike a
foreground job which we can always run SU53 after the execution to get
which auth is needed, the log of the background job didn't tell more
detail other than "it is an auth problem". Pls help us with this. is
there a way to find out what is the exactly reason after a background job
failed because of authorization?

thanks.

Answer:
Several solutions:
1) Copy the batch user to a dialogue user, then logon and run the job. You will then have your error online and maybe the SU53 you are looking for.
2) Check S_PROGRAM value for the batch user. Maje sure the batch user has activity BTCSUBMIT for the program auth group. Have you checked the job log in SM37?? You can usually drill-down to see some type of error. Common errors are S_PROGRAM and S_DATASET authotizations' missing.

Answer:
You can also run an authorization trace from ST01 for the "job step executor" (the background user) -- not the batch job scheduler, unless if they're run by the same people.

Also -- make sure you run ST01 on the exact application server the batch job is running to capture the trace.

Answer:
Tried to run the job online, it went through w/o problem.

Tried it in background again, failed with same authorization problem.

Does this make sense for you guys? Should running online and running in background have the same authorization check?

Background Jobs

What is the general practice for running Background jobs? Under the individual's user ID or one generic ID which has wide authorisations?

If it is run under the individual ID, then how is it handled when the person leaves the company?

What are the pro's and con's of running it under one generic ID?

Thank you
Jaynick
_________________
SAP Rules!!!

Answer:
We make sure that all background jobs are scheduled against a background user. This way we ensure that there is sufficient access to complete the job without having to give the individual users the same level of access. At the same time we can lock leavers and inactive users without being concerned of jobs falling over

To do this, you need to make sure that only a limited number of people can schedule batchjobs against the background ID. If not, you risk people obtaining access they should not have.

You can also ensure that the jobs won't have a negative performance impact on the system, as they will be scheduled with the right parameters.

Hope it helps

Answer:
If you currently allow users to create background jobs, checking for jobs scheduled for a particular ID should be a standard part of user decomissioning.

Answer:
Thanks Henrik! Any other input from SAP fans as to what the general practice out in the world is?

Jaynick

Answer:
I have a question about this also. I understood that a Basis admin could schedule background jobs to run under the userid of a system user, so that the system user (non dialog) could be granted broad authorizations, and not the dialog user, and also no maintenance is required if basis admin leaves the company.

I know that there are a few things that will require that the basis admin who schedules the background job to run under the auths of the system user id, also have the authorizations in his/her role also, or they will not be allowed to schedule it to run under the system id, even if the system id has the auths. Which is an understandable security measure. But these are only for a few things like os command and program execution considered critical, and not like broad business applications which the admin would not have in his admin role, and yet there is no problem scheduling jobs under the system id which does process business application jobs.

I have been told by some that they needed to create a generic dialog user like "JOBSCHEDULER" and use it to schedule jobs. I don't understand why they need to do this. Can anyone tell me why there would be a technical problem if they simply used their own id to schedule these jobs to run under the authorizations of the system id set up for this purpose?
_________________
Gary Morris
SAP Security Analyst/Developer
garymorris@sapsecurity.net

Answer:
Hi Gary,

Do you mean that the job admin is a generic account? That makes the connection between the dialog user ID and the name of the background user in which the job step is running even more obscure...

The belief that SOD conflicts between dialog users with S_BTCH_NAM = 'BATCHUSER' and the authorizations of 'BATCHUSER' itself is bad enough!

If you mean the job steps running in the name of the generic account as a dialog user, I have observed some OSS notes on a related topic which you can find with a search on 'call transaction' (I was looking for something else). Some programs may call a transaction screen which is not a parameter transaction and requires dialog interaction - at least that is what I understood the notes to be describing.

If I find an example again, I will post it.

Noddy

Answer:
There are two types of background jobs:
1. Repetative Production scheduled jobs to support a business process.
2. Adhoc reporting in background to keep the dialog processes free for "real" work. ( transaction processing)

The repetative Production jobs should be formalized with a standard naming convention for the job name and scheduled by the Batch administrator at the appropriate time, generally on a basis person's id not a generic one as there is no accountability on a geeric ID. The batch admin will need sufficient access to create the job, not run the report if internal authorization is needed to run the report (generally S_BATCH_NAM and S_PROGRAM, plus the S_BTCH_ADM access is sufficient. This allows scheduling the jobs in ANY class to limit their run to a specific batch processes controled by basis), and the STEPS should be run under an ID setup as a batch ID for the specific module ( not a user and not the batch admin person), like BATCH_FIAR , BATCH_HR, BATCH_MM, BATCH_SEC, etc. the batch Ids (setting in SU01) should have broad functional module access, not all access.

Adhoc reporting SHOULD be encouraged to keep the dialog processes free to enter the data into the system that SAP was purchased for, entering sales orders, getting money, and paying bills, ALL more important tha a poorly defined batch job report.

The user should have access to schedule jobs but NOT S_BTCH_ADM, this then forces all the job into class C which allows basis to manage when and where batch jobs are run. Since the user is running a report in backgroung that they could run in foreground, the report SHOULD be part of their role and the report tied to the role menu and the access in the report granted. The job is then scheduled on the user' s ID and run under the user's ID.

Answer:
Thanks John, That is exactly what I have told others, but for some reason I did not understand, they were saying they had some kind of technical problem when using system admin IDs, instead of this generic one. I will try and narrow done exactly what it was. They understand that the job will not fail if the admin leaves if it is scheduled under a batch-id but they still want to use a generic dialog user to schedule all of the jobs under one batch id.

Will they encounter a technical problem if they schedule too many jobs under the same user? Will there ever be any difference in the performance of the background processing with the same user such as maybe some kind of wait time when the same system id is logging in for multiple jobs, whereas if the user ids were different it would not have waited? Or rfc trace files getting wierd error messages because the background user is trying to authenticate when it is not necessary such as wrong classification of the user id causes the kernel to handle the login in a way that it would not if the classification of the user type trying to connect was set to cpic instead of system etc..

background jobs via background users

I need some opinions about following issue:

We have some jobs who have to be done every day. So, these jobs are planned every morning. The jobs are backgroundjobs and [b]one[/b] system user runs [b]all the jobs[/b]. Therefore, this system user has a SAP_ALL.
A system user can't login on a normal basis but I don't feel well with the SAP_ALL.

I have the idea to split this user in several system users, with a big profile of the module which need some background jobs. (HR-user for HR-backgroundjobs, FI-user for FI-backgroundjobs,...)

Is this realistic or is there an other solution? Maybe our situation at this moment isn't so bad as I think???
Can someone help me?

Thanks in advance!
Bart

Answer:
It's perfectly feasible to split them by function or module.

For non-sensitive stuff I generally have a user e.g. FIBATCH with auths to cover what's needed. It takes a bit more work to set up but helps keep things arranged in an orderly manner.

Answer:
I’ve been through audits in the past where they have been satisfied with the background user having SAP_ALL as long as you have tightly controlled who can actually schedule jobs etc against that ID.

Answer:
I’ve been through audits in the past where they have been satisfied with the background user having SAP_ALL as long as you have tightly controlled who can actually schedule jobs etc against that ID.

Its all about risk. System users can also be used as communications users and there are some tricks that could allow someone to abuse a systems user in an RFC call. (They involve a kind of password hack). If you restrict the authority of the systems user you can diminish the opportunity for abuse.

You also have to be very restrictive about authority for S_BTCH_NAM.
_________________
bwSecurity

Answer:
I’ve been through audits in the past where they have been satisfied with the background user having SAP_ALL as long as you have tightly controlled who can actually schedule jobs etc against that ID.
When I perform audits I prefer not to see the ID with SAP_ALL - as there are plenty of ways it can be misused if the required restrictions are not in place.

If you do want to use one user, at least use a chopped down version of SAP_ALL with some of the more sensitive auths removed or very tightly controlled to grant what specifically is used.

Background Processing VS Batch processing

Can someone tell me what the difference between backgroud processing and batch processing is. Also does the access to this function be limited.

I have a requrinment where they want everyone to have access to batch processing and just wanted to know how i should be handling this request.

Please help

Answer:
You have to get clarification from the requester. Most often Batch and background mean the same. There is a SAP useage which means Batch Data Communication ( BDC) that is sometimes refered to as Batch but most often refered to as BDC. Batch anf Background is controlles with S_BTCH_JOB and BDC is S_BDC_MONI. You need clarification fromt he requester.

Answer:
And if the user also has S_BTCH_ADM = Y and S_BTCH_NAM = DDIC (or *), then they can schedule the jobs, release, delete etc (as per S_BTCH_JOB actions permitted), but.. in the name of and with the authorizations of the other user names.

You can check with SUIM reports who can use your user account (for example) without having to know your password.

The myth that one cannot logon with a batch user is therefore true, because you don't need to logon with it...

Cheers,
Bob

Answer:
There is no myth about "loggin on to a Batch id" it does logon to run the batch job it just cannot be used in DIALOG mode. S_BTCH_NAM allows you to run a batch job using that users' access be it DDIC ( which should not have SAP_ALL) or any other id BATCH or DIALOG.

Answer:
There is no myth about "loggin on to a Batch id" it does logon to run the batch job it just cannot be used in DIALOG mode. S_BTCH_NAM allows you to run a batch job using that users' access be it DDIC ( which should not have SAP_ALL) or any other id BATCH or DIALOG.

It does logon, but unlike Communication users, the password is not critical for this login so you can change it. Like Communication users, one does not have to know what the password is... just access to see that someone once did and left it behind in the system. For Communication users one does not need to know the password either, but changing it, would make the access to the user more difficult.

Deleting a scheduled Background job in SAP

To delete a job:
Go to Transaction SM37. Select a job (or jobs) from the Select Background Jobs screen. In the Job Overview, mark the job or jobs you want to delete by checking the box to the left of the job name. Choose Job --> Delete.


Deleting Jobs That Have Dependent Jobs:

If you delete a job that must be processed before another job can be started, the dependent job can no longer be started. The system will inform you of any such existing dependent, or successor, jobs. You'll then need to either reschedule or delete the dependent job.
If you try to release a job whose predecessor job was deleted, the system sets the status of the job to Planned. To start this job, you must release it and specify the start conditions.

Schedule Manager

Automate your routinue task with Schedule Manager. It facilitate the definition, scheduling, execution, and review of tasks that are executed on a regular basis, such as period-end closing.

SCMA - Schedule Manager

how you can assign a Background work process as a Class A Background Work process

Go to transaction code rz04 then button Operation Modes / Instances. Then select the Operation mode and double click on it. Then you will see a window with no of Background work process. In the field named Class A increase the no to 1 (use the + button to increase that). Default value is zero. Then click on the save button to save the configuration

How To Delete a Scheduled Job in sap

I am working in production support and have been asked to stop a scheduled jobs. The job will run on the first of next month and I need to stop it from running.

To delete a job:

Go to Transaction SM37. Select a job (or jobs) from the Select Background Jobs screen. In the Job Overview, mark the job or jobs you want to delete by checking the box to the left of the job name. Choose Job --> Delete.

Deleting Jobs That Have Dependent Jobs:

If you delete a job that must be processed before another job can be started, the dependent job can no longer be started. The system will inform you of any such existing dependent, or successor, jobs. You'll then need to either reschedule or delete the dependent job.

If you try to release a job whose predecessor job was deleted, the system sets the status of the job to Planned. To start this job, you must release it and specify the start conditions.

Checking your program Background Job Status

Checking your job status with SM50 (processor type BTC) is more accurate then SM37. SAP updates the tables TBTCO wheneveryour background jobs status change. If SAP is shutdown, the currentjobs might not be update ontime to the table. (e.g. a background job wasshown as Active (SM37), in fact it real status should be Cancelled.

The type of work process:

  • DIA - work process for executing dialog steps in user transactions
  • UPD - update process for executing U1 (time-critical) database changes
  • UP2 - update process for executing U2 (non-critical) database changes
  • ENQ - for setting and releasing locks on SAP lock objects
  • BTC - for executing background jobs
  • SPO - for spool formatting processes
PID: Process ID of the work process

Availability Check on Quotation

SAP standard does not do an availability check on the quotation, as it is not a definite order, usually just a pricing quote.

When it is converted to an order, the first availability check is carried out, as well as credit checks. The system will check stock in the plant, plus what is contained in the availability checking rule (scope of check) eg: can add POs for replenishment, purchase reqs, different planned orders, and subtract sales orders, deliveries etc already created against that material in that plant (and possibly Storage location).

If there is enough stock in the plant/SLoc, the system will give you a confirmed date, or give you a date based on the production time or purchasing time from the material master. The date the system proposes is based on the customer's requested delivery date.

SAP first backward schedules looking at the required delivery date, less transportation time, less transportation lead time, less pick and pack time, less production/purchase time if applicable. If the date it calculates is equal or later than today’s date, then it will confirm the customer’s required date. If it falls in the past, SAP will then forward schedule for today’s date, plus the times listed above to get the date when the customer can actually have it.

ATP is the single most complex part of the SD module, depending upon how PP and MRP is set up.

MRP works semi-separately, depending on how it is set up. Basically, MRP looks at the demand on the plant, and if it the stock does not meet expected sales orders and deliveries, it will create a purchase requisition (outside purchase) or requirement or planned order (for production) to cover the shortfall. When MRP is started, it will turn the PR into a PO or the requirement into a production order.

SD material Determination based on availability check

For SD material Determination you can create a Substitution reason and on the Strategy field, the following info. is available:

Product selection in the background is performed on the basis of the availability check.

We want to have the material determination only in case on material shortage. We expect the Substitution reason to give us this functionallity. It does not hovever take the availabilty into account before substitution.

We thought the worse case is to create a ABAP which is linked to the "requirement" field in the Procedure (OV13).

Has anyone had the same requirement? Is this a bug or just incorrectly documented?

I also encountered this abnormally recently using material determination. In order to combat the problem, the first product substitution should be for the original material. I've illustrated this below:

Original Product: ABC
Substitutes: DEF, XYZ

In order to perform product substitution ONLY in the case of ATP failure for product ABC, structure the Material Determination record as follows:

Material Entered: ABC Substitutes: ABC
DEF
XYZ

There seems to be a devaition at availability check and or on a conceptual note still.

Availability check can be configured both at requiremnt class and at the schedule line categories level.

Whilst the availabilty check at the requirement class level via global and mandatory configuration the schedule line catgry availability check deals with the order.

It is mandatory that the reqmnt class is flagged off for avlblty check and the schdelu line cat need not be.

The following are the mandatory for Availability check to happen--

1. Must be swithced on at the requirment class level and at the schedule line level.

2. Reqmnt type must exist by which a requiremnt class can be found

3. There must exist a plant and is defined

4.Checking group must be defined in Material Master records(it controls whthr the system is to create individual or collective reqmnt)

A combination of checking gropup and checking rule will determine the scope of availbaility check.

Creating Multiple Materials in Material Determination

Material Determination is used to swap one material for another.It is possible to get a list of materials for substituiton,but remember you can substitue only one material from the list.

This can be done through substituiton reason T Code [OVRQ]
See the substitution reason number for Manual Material Selection
- check the Entry box
- check the Warning box
- select A for Stategy
- save.

Go To VB11 to create Material Determination (taking into consideration that all the previous steps for material determiantion i.e. maintaining condition types,maintaining procedures for material determination and assigning procedures to sales doc. types have been done)

Create one material determination,dont forget to give the Subst reason on top and also on the line.

Click the Variants Icon on top left-Sreen opens

Specify different materials you want to swap with the material you have enterd

Note that the subst reason is already copied on the screen

Remember materials should be of the same sales area,atleast Divisions should be same

Backward and Forward Scheduling

Backward scheduling is the calculation of deadline dates: the arrival time at the customer site is calculated as the earliest possible goods receipt time at the customers unloading point on the requested delivery date. All four of the delivery and transportation scheduling lead times are subtracted from the customer's requested delivery date to determine if this date can be met.

The transit time, loading time, and pick/pack time are subtracted from the customer’s requested delivery date to calculate the required material availability date.

The system calculates backward scheduling as follows:

Requested delivery date minus transit time = Goods issue date
Goods issue date minus loading time = Loading date
Loading date minus transportation lead time = Transportation scheduling date
Loading date minus pick/pack time = Material availability date

By default, the system will calculate delivery dates the closest day, taking into consideration the working days of the shipping point and a rounding profile. In this case the system assumes a 24 hour work day and lead times can be entered in days up to 2 decimal points. This is referred to as daily scheduling.

Precise scheduling calculated down to the day, hour and minute is supported. This allows the scheduling of a delivery within a single day. It is activated by maintaining the working hours for a particular shipping point.

Backward scheduling is always carried out first. If the material availability date or transportation scheduling date is calculated to be in the past, the system must then use forward scheduling.

Forward scheduling is also done if no product is available on the material availability date calculated by backward scheduling. The system does an availability check to determine the first possible date when product will be available. This new material availability date forms the starting point for scheduling the remaining activities. The loading time, pick/pack time, transit time, and transportation lead time are added to the new material availability date to calculate the confirmed delivery date.

SAP Authorization Concept

The SAP authorization concept is based upon the logical relationship between a user ID and the range of system authorizations with which it can be associated. The architecture of the authorization system is based upon the utilization of several individuals but related logical components: Profiles, Objects, Fields, and Authorizations. The user ID refers exclusively to profiles. Each profile grants a set of specific system access authorizations to user. Figure 2 illustrates the hierarchical authorization concept in SAP.

Figure 2

2.2 Composite Profiles

Composite profiles refer to the various employee roles available in the corporation (for instance: Purchasing / Receiving Clerk or Accounts Agent). As the name suggests, composite profiles may contain multiple user IDs necessary to perform all the business operations associated with a particular role. A composite profile may encapsulate another composite profile(s). In practice, a model composite profile should be recognized for each possible role in the organization, which may be used to produce hybrid composite profiles. The over-existence of the hybrids can defy the very purpose of composite profiles and they should be created only when specific needs arise.

2.3 User Ids

User ids allow access to SAP applications. Each user must have a corresponding profile specifically assigned. In many situations, multiple composite profiles can be assigned to a user ID, depending on the role(s) an individual user is responsible for, in the business processes.

2.4 Authorizations

Authorizations are the key building blocks of SAP security. Authorization is the process of assigning values to fields present in authorization objects. In SAP, access to all system functionality is achieved through a complex array of authorizations. Sometimes users find that they lack the necessary authorizations to perform a certain function in the system, in which case the message: "You are not authorized..." is displayed at the bottom of the screen.

An authorization process may ask for second associated authorization process which in turn asks for third and so on. For example, the task of paying a vendor invoice may require 10 different authorizations.

SAP’s TCODE checks with the authorization tool

What are the checks that the SAP authorization tool performs when a TCODE is executed in order to ensure authorization of that user?

EXPERT RESPONSE

When initiating a transaction, a system program performs a series of checks to ensure the user is authorized.

1. The program checks whether the transaction code exists in table TSTC.

2. The program checks whether the transaction code is locked by the administrator (transaction code SM01).

3. The program checks whether the user has the authority to start the transaction. Authorization object S_TCODE (transaction start) contains the authorization field TCD (transaction code). The user must have the appropriate authorization for the transaction code to be started (for example, FK01, Create Vendor).

4. The program checks whether an authorization object is assigned to the transaction code. If this is the case, the program checks whether the user has an authorization for this authorization object. The transaction code/authorization object assignment is stored in table TSTCA.
Note: An SAP program controls steps 1 through 4. It displays an automatic message to the user if an authorization attempt fails in the step.

5. The system performs authorization checks in the ABAP program using the ABAP statement AUTHORITY-CHECK.

Listing TCODE transactions used to view what users are logged in to SAP

I want to get a list of all transactions used per user in a specific time period. Basically I’m looking for a list of all users logged in SAP and the details of the tcodes they used. Is there any standard report or tcode available to view this info?

EXPERT RESPONSE

There is no standard transaction. The information is available for configurable time periods using transaction ST05N but it is not organized to readily provide a report of users and transactions. Also the information available summarizes a user’s use of a transaction. There will be one entry (with count data) per user per time period. Daily, weekly and monthly summaries can be created and they are stored for configurable durations.
The information is summarized into a cluster table called MONI based on the STAT files that are written in the file system and regularly refreshed. MONI cannot be queried via SE16 etc., but SAP delivers a number of function modules that retrieve data from these tables.

It is also possible to configure audit logging via SM19 and read the log files via SM20. This will provide more detail but it also introduces new file management issues and requires a change to system settings.

Authorization Check

The following actions are subject to authorization checks that are performed
before the start of a program or table maintenance and which the SAP
applications cannot avoid:

 Starting SAP transactions (authorization object S_TCODE)
 starting reports (authorization object S_PROGRAM)
 Calling RFC function modules (authorization object S_RFC)
 Table maintenance with generic tools (S_TABU_DIS)

The authorization objects S_TCODE, S_PROGRAM, S_RFC, and S_TABU_DIS
are standard SAP provided.
Creating a new authorization object is not in the scope of ABAP developer. It will
be taken care by SAP BASIS team.

This is a preview of Authorization Check:

SAP BASIS (BC) Authorization Concepts

SAP Authorization Concept

The SAP authorization concept is based upon the logical relationship between a user ID and the range of system authorizations with which it can be associated. The architecture of the authorization system is based upon the utilization of several individuals but related logical components: Profiles, Objects, Fields, and Authorizations. The user ID refers exclusively to profiles. Each profile grants a set of specific system access authorizations to user.

Composite Profiles

Composite profiles refer to the various employee roles available in the corporation (for instance: Purchasing / Receiving Clerk or Accounts Agent). As the name suggests, composite profiles may contain multiple user IDs necessary to perform all the business operations associated with a particular role. A composite profile may encapsulate another composite profile(s). In practice, a model composite profile should be recognized for each possible role in the organization, which may be used to produce hybrid composite profiles. The over-existence of the hybrids can defy the very purpose of composite profiles and they should be created only when specific needs arise.

User Ids

User ids allow access to SAP applications. Each user must have a corresponding profile specifically assigned. In many situations, multiple composite profiles can be assigned to a user ID, depending on the role(s) an individual user is responsible for, in the business processes.

Authorizations

Authorizations are the key building blocks of SAP security. Authorization is the process of assigning values to fields present in authorization objects. In SAP, access to all system functionality is achieved through a complex array of authorizations. Sometimes users find that they lack the necessary authorizations to perform a certain function in the system, in which case the message: “You are not authorized…” is displayed at the bottom of the screen.

An authorization process may ask for second associated authorization process which in turn asks for third and so on. For example, the task of paying a vendor invoice may require 10 different authorizations.

Unlocking a blocked admin user ID in an Oracle DB

My admin user ID has been locked out. Is there a table I can update in Oracle to reset the flag and enable myself to log in?

EXPERT RESPONSE

Select all entries of table USR02 where ‘UFLAG’=128. These users are locked by reason of incorrect logons. ‘UFLAG’=64 will give you the users that are blocked by Administrator. Set ‘UFLAG’ to 0, to unlock your account.

How to Check Missing Authorisation for User

How to check the missing authorisation for the user not having the option "/nsu53 ?"

You can use the following procedures to determine which authorizations a user requires to carry out a transaction:

You can use Trace function, ST01, you can trace the user activity and from the log you can see the authorization missing.

Start an authorization trace using the ST01 transaction and carry out the transaction with a user who has full authorizations. On the basis of the trace, you can see which authorizations were checked.

This procedure generally works well. However, sometimes the result is very surprising because certain programs can and do ignore some authorization checks by using preliminary checks and buffered results. In such cases, these methods are not very effective. You can recognize these cases because certain fields of the corresponding programs are specified with * or DUMMY at some point of the authorization check.

Analyzing authorization problems in an unknown program

The most frequently used method to analyze authorization problems in an unknown program involves you setting the Debugger breakpoints to the AUTHORITY-CHECK and MESSAGE commands. Then execute the program and analyze its behavior.

Determining all the authorizations a user has for an authorization object

When troubleshooting, it is often helpful to find out all the authorizations a specified user has for a specific authorization object. A simple method of reading these authorizations as raw data from the user master record is to execute the GET_AUTH_VALUES function module in the SUSR function group. Use the SE37 transaction or SE80 in test mode to do so. The result table is not formatted for output, but is very compact and easy to understand for authorization experts.

Analyzing an authorization problem that occurs for only one user

It is often the case that a certain authorization problem occurs for only one specific user. This kind of authorization problem generally affects users with no Debugging authorization. If you want to assign a user Debugging authorization without changing the HR authorizations, you can add the S_A.DEVELOP authorization profile (if available) to the user’s authorization profiles. In production systems, note that changes such as these to authorizations enable users (with relevant knowledge of the development environment) to access any system data easily (especially in other clients).

SAP Profile Generator tables

---Original Message-----
Subject: Profile Generator tables?
From: Paul Ellis

We maintain profiles in a Development system using Profile Generator, but only transport the authorisation profile and not the activity group to Staging/Production.

We are about to refresh the Development system with a copy of Production. What tables do I need to export from Development prior to the refresh, and later re-import, to ensure that Profile Generator is able to maintain the activity groups created in Development?

Thanks in advance.

Paul Ellis

-----Reply Message-----
Subject: Re: Profile Generator tables? - more
From: Mike O'Carroll

oh, and maybe these tables for profile genrator stuff......
(from top include for PFCG)
000010 function-pool rhum.
000020
000030 tables: hrv1220, hrp1001, hrp1000.
000040 tables: pchdy, pphdx, p1000,
000050 pt1220, t77fc, t77fd.
000060 tables: *objec, objec, *p1000.
000070 tables: pdrhum, t77aw, t777o.
000080 tables: xu213.
000090 tables: t777e, usr05, tprprof.

and you may need to do the same with menu tables - I'm not sure which ones
-
(from top include from SSM1)
000010 function-pool smnu. "MESSAGE-ID ...
000020 *
000030 tables: indx, tstct, dsyax,
000040 smenca_new, smen_obnew, smen_conew,
000050 smenusenew, smenentnew,
000060 smen_dates, ssm_stat, ssm_start, ssm_langu,
000070 smensapt, smencust, smenentt,
000080 smensapnew, smencusnew,
000090 smenselect, t002t,
000100 ssm_rele, smenintnew, smenintt.

--------------------------------------------------------------------------------

Regards,
Mike O'Carroll

-----Reply Message-----
Subject: Re: Profile Generator tables? (Document link: Michael O'Carroll)
From: Michael O'Carroll/UK

user masters: USR01 to 09, UST04,
profiles: USR10, USR11, UST10S, UST10C,
authorisations: USR12, USR13, UST12.
password exceptions USR40.
History tables(may not be applicable but FYI): users: USH02, USH04,
profiles: USH10, auths USH12.

activity groups are stored in table PLOGI along with loads of other object types. the activity groups are object type T.
You could export the table data with a manual transport request via SE01, using R3TR TABU and specify the keys to use for all objects of type T(ie all activity groups). Remember to include all clients in the selection.

OR, if you are using the client copy functions to refresh you DEV from PROD, then you could use the RSCCEXCT (see OSS note 70290) to list all these tables and exclude them from the copy, hence the corresponding original DEV tables should not be overwritten in DEV.
I suggest you export a transport request with with all these tables from DEV just in case, so you can re-import them again if it goes pear shaped.
In 3.x I don't think the activity group names involve client number or SID, but I've heard some differences in 4.6 - Guy Holchester has sent many notes to the list about it - have a look at the archives, but I think as long as you aren't copying between different versions (eg from Prod 4.6 to Dev 3.x, or vice versa) then it should be OK.

If you choose to re-import the tables from transport requests, you might want to run the sync tool in the target client (DEV) afterwards - ie run function module SUSR_SYNC_USER_TABLES, or run SU30, just to check for any dodgy links or inconsistencies.

Also, if you are re-importing user masters too, run RSSODELT and RSSOUSER to recreate all SAPOffice mailboxes and link them to the new user IDs in the target client.

hope this helps.
cheers,
Mike

-----Reply Message-----
Subject: Re: Profile Generator tables?
From: Kenneth Marquardt

I would use RHMOVE30 and create a transport of your activity groups. To be safe test import the activity groups to QAS prior to refreshing DEV with PRD. Then once you have completed the refresh import the transport you created. For more info on this look at the Authorization is made easy guide available online on page 11-6 release 4.0b.

Remember to run SUPC after you import to regenerate the profiles.

-----End of Reply Message-----

Query About Tcode PFCG

1. How to check the name of all users who has been authorised to use a particular transaction? I am trying to find through SUIM, but failing to find the name or total number of users of a particular t-code say SPRO.

2. I know that a particular transaction say SPRO is available in a particular role and I want to remove that t-code from that role. But I am unable to find that node through PFCG. If I am using the search for a t-code inside menu tab after putting the edit mode it is not coming in PFCG, but through SUIM its existence is coming in that role. That particular role contains a lot of t-code and reports, say about 2000.

1. Goto SUIM and select USER node, then select USERS BY COMPLEX SELECTION CRITERIA node then execute BY TRANSACTION AUTHORIZATION report then give the Tran. code and it will return you the number of users having that trans with relevatn details.

Follows these steps :-

- Go to SUIM .
- Choose Roles --> By Transaction assignment.
- Enter Transaction : "SPRO"
- Choose execute.
- Double click on a role in which you want to remove "SPRO" authorisation.
- Click on pen mark to change into change mode.
- Go to tab "Authorization"
- Choose change authorization data.
- Choose Utilities --> Technical names on .
- Choose --> cross application authorization objects-->
- Expand the selection for Object "s_tcode" , under the corresponding profile look the values maintained for "TCD" and remove value "SPRO" from the list to eliminate the authorization.
- Don't forget to regenerate profiles.

2. You should able to find this via menu tab otherwise try to do this in authorization tab --> change authorization data by search.

How To Compare The Roles

How to compare the roles where created or defined in two different systems?

For role comparision both the roles must be in the same system, in same client

Transaction code SUIM -> Comparision-> Roles

If the roles are in different system, then tranport the role into one of the system and do comparision. If no transport connection defined then, you can use the upload and download option in the PFCG

Steps for Role Comparing:

1. Run the t-code SUIM

2. Go To Comparison and select the option of roles

3. Click on Across systems option it will give option to select the sys name under Remote Comparison there enter the SYS ID between which system you want to do comparison and put the role name in compare role section then execute it will give you the result.

4. If there is any difference b/wn the t-codes it will b in red colour otherwisein yellow.

Creating New User With Authorizations

I want to create new user for SAP module. I am having user id as sap* (someone has said that this is super user id); when I login with this id and go to IMG for configurations. A message is displayed that I am not authorised to change the details with sap* user.

What is the procedure for creating new user which have all features define under SAP* user and which could allow me to make the configruations.

Creating new user with superuser authorizations.

1. Goto SU01 --
username : sapuser
|-->Create.

2. In default settings, give
:Mr
first name : sap
lastname : user

3. Goto next tab,
give initial password :1234
repeat password : 1234

4. Goto profiles.
type- sap_all (say enter)
sap_new (say enter)
Then save....
See the message in status bar, (user created successfully)

5. Login with the new user. change the password. now this user contains all superuser authorizations.

Introduction on Authorizations

  • Authorization objects enable complex checks of an authorization, which allows a user to carry out an action. An authorization object can group up to 10 authorization fields that are checked in an AND relationship.
  • For an authorization check to be successful, all field values of the authorization object must be maintained accordingly. The fields in an object should not be seen as input fields on a screen. Instead, fields should be regarded as system elements, such as infotypes, which are to be protected.
  • You can define as many system access authorizations as you wish for an object by creating a number of allowed values for the fields in an object. These value sets are called authorizations. The system checks these authorizations in OR relationships.

Troubleshooting authorization in SAP R/3

When you encounter errors during testing of roles, you can use SU53 and ST01 to analyze the error.

  1. Ask the user to run SU53 to display the result of the last failed authorization. It is important the user run SU53 immediately after failed authorization check, as only the last object the failed the authorization check is saved.
  2. You can run trace using ST01 to further analyze the error. For more detail follow the link…

Shortcut to create role with many reports /tcode

Once I had couple of roles which where made just t hold reports. The number of reports where huge. Here is how I did it.
First create a CATT script with a dummy role and add one tcode. Make the role and T-code as variant. Once you have this you can add any number of tcode to any existing role. Icould resuse this tocreate another roles where I had to insert lot of T-codes.

check which authorisation objects are checked within a transaction

1. Open two sessions

2. Execute transaction ST01 in one of the sessions

3. Select the authorisation checkbox, note the other traces you can perform (SQL, RFC, Table Buffer etc)

4. Click the ‘Trace On’ button

5. Within your other session execte the transaction/report you want to trace or get the user in question to do it

6. Return to the session where you turned the trace on and click on ‘Trace Off’ otherwise it will continue to record all athorisation checks

7. Click on the ‘Analysis’ button

8. Enter appropriate data into selection screen such as Username, type of trace records (i.e. Authorization check)

9. Click on the Execute button.

10. Report displaying trace results will now be displayed

What are the Authorizations Required

Administrators who use the Profile Generator require authorization for the following authorization objects: S_USER_AGR Authorization Check for Activity Groups

S_USER_TCD Transaction Assignment of Transactions to Activity Groups

S_USER_GRP User Master Maintenance: User groups

S_USER_PRO User Master Maintenance: Authorization Profile

S_USER_AUT User Master Maintenance: Authorizations

S_USER_VAL Maintenance of Authorization Values in Activity Groups

How do I go about creating an authorization group

This all depends. In some cases authorization groups must exist in a custom table before they can be used. This is true for table authorization groups (authorization group in table TBRG assigned to tables in table TDDAT via transaction SE54) and user groups(created in transaction SUGR). In some cases authorization groups are merely created when they are assigned to the object in a standard maintenance transaction (e.g. vendor master data, customer master data, material master data etc.) In other cases the authorization group has an optional validation table that is used in search helps but no where else (ABAP programs in table TPGP and TPGPT, report writer authorization groups (via table TBRG) etc. Authorization groups are essentially labels that you assign to objects (tables, programs, master data etc.) that allow authorization checks for access to the objects with the label.

Frequently Asked Questions on Authorization

Role & Profile

What is the difference between role and a profile?

Role and profile go hand in hand. Profile is bought in by a role. Role is used as a template, where you can add T-codes, reports..... Profile is one which gives the user authorization. When you create a role, a profile is automatically created.

What is the use of role templates?

User role templates are predefined avtivity groups in SAP consisting of tyransactions, reports and web addresses.

What is the different between single role & composite role?

A role is a container that collects the transaction and generates the associated profile. A composite reole is a container which can collect several different roles

What profile versions?

Profile versions are nothing but when u modify a profile paarameter through a RZ10 and generate a new profile is created with a different version and it is stored in the database.

Is it possible to change role template? How?

Yes, we can change a user role template. There are exactly three ways in which we can work with user role templates
- we can use it as they are delivered in sap
- we can modify them as per our needs through pfcg
- we can create them from scratch.
For all the above specified we have to use pfcg transaction to maintain them.

Personalization Tab Within PFCG

Please expalin the personalization tab within a role.

Personalization is a way to save information that could be common to users, I meant to a user role... E.g. you can create SAP queries and manage authorizations by user groups. Now this information can be stored in the personalization tab of the role. (I supposed that it is a way for SAP to address his ambiguity of its concept of user group and roles: is "usergroup" a grouping of people sharing the same access or is it the role who is the grouping of people sharing the same access?)

How to insert missing authorization? Ways?

su53 is the best transaction with which we can find the missing authorizations.and we can insert those missing authorization through pfcg.

Table of authorisation field settings

Is there a table for authorisations where I can quickly see the values entered in a group of fields?
In particular I am looking to find the field values for P_ORGIN across a number of authorisation profiles, without having to drill down on each profile and authorisation.

AGR_1251 will give you some reasonable info.

Table with deleted users

Someone has deleted users in our system, and I am eager to find out who. Is there a table where this is logged?

Debug or use RSUSR100 to find the infos.

Run transaction SUIM and down its Change documents.

How can I make T_Code SPRO Read Only

I have a requirement to make SPRO read only. As you know it has a tree like structure and to make it read only seems like impossible.

You cannot make SPRO 100% display only by ANY setting. The SCC4 option only turns configuration tables to not-modifyable but still allows the non-config delivery class tables (or those configured to be changeable) to be modifed. It does nothing for the tcodes that are NOT table maintenance and not controlled by S_TABU_DIS. These will still allow configuration. All the tcodes in the SPRO are in several tables CUST_ACTOBJ (spelling?) is one.

You only real option is to create a role with all the tcodes in them that are in the SPRO , remove the create and change to display ( generally by changing the last nunmer on the 4 digit tcodes to 3) and removing all the Create and change access in all the activities and allow only the display.

PFCG allows you to create a role from a SPRO project so the usermenu will come close to the SPRO menu, which your changes it will be display.

Mass Delete of Old Roles

How can i do a mass delete of the roles without deleing the new roles.

There is a SAP delivered report that you can copy, remove the system type check and run. To do a landscape with delete, enter the roles to be deleted in a transport, run the delete program or manually delete and then relase the transport and import them into all clients and systems.

It is called: AGR_DELETE_ALL_ACTIVITY_GROUPS.

To used it, you need to tweak/debug & replace the code as it has a check that ensure it is deleting SAP delivered roles only. Once you get past that little bit, it works well.

What is an Authorisation Object?

An Authorisation Object is a structured group of Authorisation Fields that can be populated with Authorisation Values

Create authorization object

Question: Hello,

I need to restrict access for a specific field of a table.

Can you tell me how to know the authorization object links to this field AND how to create a auth. object ?

Thanks.

Answer:
There is no easy way doing this. Auth Object(s) for standard tables are S_TABU_DIS, S_TABU_CLI. You can use this to restrict access to display only or client specific tables. However if that requirement is mandatory you need to create a custom t.code to display table restricting the field.

Answer:
What do you mean by the statement "restrict specific field of a table?"
Can you be a bit more specific in your problem?
_________________
Regards
Vijay

Answer:
One option could be S_TABU_LIN, but I think you are better off with a custom transaction

Answer:
Exact.


We find a solution by creating a specific transaction.

Creating an auth group and assigning a table

Question: How do I create an new auth group and assign a table to this group in S_TABU_DIS

Answer:
Tcode SUCU, The "group" does not have to exist but you can create one in SE54

creating authorization levels

Question: hello,

I found note that names a report that needs to be run so that I can
change a field and make it organizational level(done it). But when I look at that field within a certain object in the PFCG, its still yellow like before, and I cant find it under the button "organizatinal level"......do I have to somehow generate my new organizational level field? And in that case how, because the su24 and others are just for transactions.

grateful for some help
//Vinnie

Answer:
1. Did you run the reports in test mode and not change mode?
2. are you relying on the text name or the technical value of the field. The program PFCG_ORGFIELD_CREATE uses the techincal name and there are several fields that look the same in text but are not technically, Company code and Company come to mind.

Note that if you create the org level and then decide to remove it there is a bug in the PFCG_ORGFIELD_DELETE program that corrupts the SU24 entries the the customer adds that are not in the SAP source table. you will have to corrext these manually.

Answer:
Hello,

I managed to create a organizational level object running the report. But normally when you see standard organizational levels they appear red until they are filled in. When I look in the object containing the field I changed, and add it to a role, its still yellow. That is my problem, it doesnt really change and it does not show under the button organizational level. So what do I have to do to see it there, and also to see the field red in the object.

thank you in advance
Vincent
_________________
6-years experience. Prepared to work all over the globe, but so far Sweden and Denmark. Speak english, swedish, finish and spanish fluently.

Answer:
Was the object added by you in SU24 or was it SAP delivered?. GO to SU24 and remove the object from the tcode that is brining it in and readd and see if it correts itself.

Answer:
the object I used is ygo_sec_op and is not connected to any tcode......I checked that too..............more ideas please......maybe we can solve this:)

//Vincent
_________________
6-years experience. Prepared to work all over the globe, but so far Sweden and Denmark. Speak english, swedish, finish and spanish fluently.

Answer:
ygo_sec_op? the "Y" implies a customer developed object. The report that creates the org level manipulates the customer table in SU24 and then changes AGR_1251, but it your ygo_sec_op was not changed then the code may ignore MANUALY inserted objects (highly possible I did not pay attention to this part of the code). So it may be working as designed.

The best practice it to tie all required objects to a tcode and configure it in SU24 with the most restrictive access ( usually view if the tcode has to be shared between change and view) and the you ADD manual authorization to increase access with the priviso that you have a standard to support its inclusion in the role. If you have a manual ( there are some exceptions) without a standard, this would indiate to you that the tcode needing the access has been removed and the MANUAL should also be removed.

Try removing the object fromthe role, exit PFCG entirely and re-open the role and add it back ( the exit entirley may not be needed in all cases).

Answer:
thanks for your input, stupid me playing with y fields.

It works fine for the standard fields, but not for the customized ones, atleast it seems like. Just like you said.

thanks for your help

cheers
Vincent
_________________
6-years experience. Prepared to work all over the globe, but so far Sweden and Denmark. Speak english, swedish, finish and spanish fluently.

Answer:
Custom Fields ot Objects? you can add the fields in the table and link your custome fieild to an SAP variable. Table USorg is the link between Field and variable in table USVAR. If you add a USVAR then you MUST transport talbe USVART to get it to work in the other systems ( you should take USVAR as well).

Did removing the object and re-add help or is it truely a 'Y' onject and new fields?

Creating Authorization profile

Question: Hi,
We normally use Role(PFCG) and authorization profiles are generated automatically .
I need to create Authorization profile in 3.1h .Both simple and Composite.

Can anyone guide me how to do?
Is it through su02? what has to be added in Object ? and in Authorization?

Thanks.

Answer:
You create and modify Authorization roles in SU02. The values assigned to each authorization object must be determined by members of each business unit. Either that or you asign no values to any of the parameters and let the users test each transaction assigned to the role and determine the different org levels and parameters through testing. It is a long process however if the business cannot help you define the roles it is the only other way to do it.

Answer:
And I assume you will need to create custom authorisations as well. That is done through SU03.

creating custamizing autharization objects

Question: Hi

I am new to sap security can any body explain how to create custamizing autharization objects , i know we can create through su21 any body explain briefly

Answer:
Read the documentation in SU21.

NOte: First look for an appropriate SAP standard object before you create deviations from the standard.

Creating new authorization object

Question: Hi all,

Is it possible to create new authorization object, fields for that and the values. If yes, please guide me regardint the same.
_________________
Regards,

Sailesh K

Answer:
New Authorisation object can be created using transaction SU21 and fields for that can be created in SU20. You need to assign a class for athorisation object

Creating New Organizational Levels

Question: We are creating derived roles, a master role with individual derived roles.
As we know the only values that don't get pushed down are the org. values.
However we are controlling on values that are not org levels. So I would like to make them org levels, for instance company code.

I know you can create org levels in SE38 with PFCG_ORGFIELD_CREATE.
However if you do this will it make company code an org value in every role that it exists?

If so do we have to go into every role or will a value be populated automatically from the role itself?

Is it possible to pick and chose which role you want the new org levels to adhere to?

Any help would be greatly appreciated!!!

Thanks!

Answer:
I know you can create org levels in SE38 with PFCG_ORGFIELD_CREATE.
However if you do this will it make company code an org value in every role that it exists?

Yes

If so do we have to go into every role or will a value be populated automatically from the role itself?

IIRC Values in the fields will become populated as org levels without any further action required from you

Is it possible to pick and chose which role you want the new org levels to adhere to?

No. This is the downside to creating org levels. You can force individual fields in roles to ignore org level behaviour but this is on a role by role basis and not practical to maintain. If you find yourself needing to do this then your design does not suit creating additional org levels.

Answer:
If you create an org level from a field you have already used you may not get the desired results. If you have mixed values in different authorizations where they need to be descrete for different object, the creation of the org level will combine ALL the values into all the authorizations. So be careful and analyse the results of the report BEFORE commiting the results.

Answer:
Test mode

Create org level field KOSTL
Update authorization value proposals (SU24 data)
Conflicts (manual follow-up needed)
Values collected in role: SAP_CA_CL_MAINTAIN
Original values:
Authorization objectAuthorization Values
I_KOSTL T_P092043200
New org level values:
*

Values collected in role: SAP_ESSUSER
Original values:
Authorization objectAuthorization Values
P_TRAVL T_8000022406
P_TRAVL T_8000022407 *
New org level values:
*

Values collected in role: SAP_HR_REPORTING
Original values:
Authorization objectAuthorization Values
P_TRAVL T_P092020100 *
New org level values:
*
01

Thanks so much for your help!!!

Answer:
Looking at my last reply, I didn't get the entire message in.

What is in the last reply is the report that you run PFCG_ORGFIELDS_CREATE, and the results that I get.

My question is why does it say (manual follow up needed) for some of the roles.
All roles affected are at the end of the report. But it lists out conflicts above the list.

S_TABU_LIN

Question: Hi everyone

I am currently trying to test the limitations of the restrictions that can be enforced by using object S_TABU_LIN, this allows users to only see particular rows of a table depending the restrictions in place.

I am having problems when testing this, as I do not know many table names or what fields lay in what tables - can anyone suggest the values that should sit in S_TABU_LIN and the table/s this relates to?

I dont mind what it does or doesnt let me see because at the moment its simply for testing, i just want it to produce an authorisation error so can see it working and work from that.


Answer:
also does the role have to have access to the authorisation group (in S_TABU_DIS) which the table lies. For example if you are trying to restrict seeing parts of HR master data in S_TABU_LIN would you need authorisation group PA in S_TABU_DIS??

S_TABU_LIN set up as organizational level

Question: Hello,

I have started to look at the use of S_TABU_LIN to restrict table record maintenance on BUKRS , KOKRS; WERKS and EKORG. What I want is to be able to set these restricitons as organizational levels as we are using template roles which by inheritance will be used at about 200 different companies.

Has anyone tried this ?

Is it possible or not ?



Answer:
You can create orglevels using the report SAP provides (PFCG_ORGFIELD_CREATE) . Note BUKRS already is an orglevel . SO test it before you go too far and read the results of the test results closely before you implement.

Answer:
This is not possible. It would mean 2 fields as OrgLevel:
First defining the field OrgCriteria definition as organzational level, and supplementary to that the needed values.
Both fields are in the object S_TABU_LIN. How would the system know which value belongs to whicht OrgCrit?

S_TCODE

Question: Is there a way to insure that the values in S_TCODE are only the tcodes assigned to the role thru the menu tree? We are try to prohibit ranges and the value of * in the S_TCODE object.

Thanks,

Mark

Answer:
You can have a look through table AGR_TCODES, and look for * values. That's the way I usually do it

Answer:
This would have to be a manual process. Analyze the data under AGR_TCODES vs AGR_1251 S_TCODE,TCD.

Answer:
I beleive there is a report in SAP that gives you this the report is PFCG_AGRS_WITH_MANUAL_S_TCODE, you cannot prevent them for doing it just after the fact detec

S_TCODE check after upgrade to 4.7

Question: With the upgrade version to 4.7 regular transactions, do not work the
same way anymore.

Example transaction VL10H on the Tab ‘General Data’ there is column
named OriginDoc. When you click on one of these fields, it calls the
transaction VA03 (In version 4.6C) but now it is calls VA02 (In Version
4.7).

Why and how can I fix that without giving new roles with transactions
they did not have before and that used to run in the background without
requesting any S_TCODE check?

I have many requests for this kind of problem but for different roles
calling different S_TCODE. If I find a way to fix, one I will know for
all the other roles that call other S_TCODE’s.

Someone told me I could use SE97 to skip S_TCODE check BUT! What if the
transaction really require another transaction to work I do not want to
skip it otherwise we will have another kind of problem? Or I am wrong.

Please help

Nancy

Answer:
Sorry I did not find the one I posted yesterday and I thought I did not saved it.

Sorry for the duplicate of S_TCODE check after upgrade to 4.7

Nancy

Answer:
Dear Nancy,

In higher releases of SAP they are cleaning up their navigation paths. Upgrading, when you business process used a path which has changed (it became stricter to click on), does not mean that the process is any different.

You can call anything what you want. E.g. You can use SE97 to MAINTAIN the check on the CALLED tcode based on which tcode is CALLING it. But if the user can switch their sy-tcode, then the relationship changes. Take a look at table TCDCOUPLES.

SAP also provides other confusing messages though, which might be the case here. SU53 says "no auth tcode" ? But this may be caused by your having "BACK"ed (the ESC or OK problem) or the abap didn´t react sufficiently to the check and met a second auth fail, but gave you a message from either the one, or the other and a SU53 from the last check failed... i.e. the last one before '/nsu53'... not necessarily the one which gave you a "message" or caused your navigation path to change.

The change of the called transaction you mentioned (i.e. from VA03 -> VA02) may also be having an implication based on an application auth object check at tcode start, and not the tcode itself. Check SE93 for VA02.

For this you need to look beyond the tcode and compensate for SAP´s max-confusion-strategy. SU53, PFCG, ST01 and the SoD tools loitering around SAP are fully integrated into this strategy.

Kind regards,
Verne

Answer:
The only thing I found in the table TCDCOUPLES is an entry for
TCODE CALLED
VL10H VA03
VL10 VA02

But I am really in VL10H and I keeps having the message
You are not authorize to use the transaction VA02 !!!

I went in SE97 I created a list of called transactions for VL10H
Do not check VA02
Check Warning VA03
Do I have something else to do after what I did or when I use the role everything will work whitout any other configation.

I really need to know how to configure VL10H to call VA03 instead of VA02. Even with the table TCDCOUPLES or SE97 I am not able to change this setting !!!!

Need help
Nancy

Answer:
You will need to,
1. Call SAP and report the problem, or
2. Search on OSS for a fix
3. Debug the code and see if it is configurable in a table ( probably is not and TDCOUPLES has nothing to do with your want, It must be in the code).

Answer:
The last person who called SAP got 335277 - VL10: VA03 instead of VA02 in display of orders

You will need to work together with your developer and application person for the area.

An afterthought: That is also why, when you have outsourced your development work and application consulting, you will need to get yourself a Miles-and-More card and learn at least one exotic foreign language.

s_tcode display only problem

Question: Hi Guru's

How to allow user to see only Area Menu and SAp Menu but not the list of transactions asssigned to his role. I tried in 2 ways..

1. I blocked the User menu , which also blocks Area menu.
2. Deleted transaction code list from Menu of User role and generated the profile. So now in usermenu i can not see any transactions. It is worked.
Here problem is S_tcode is in Display mode only, so we can not add any additional transactions in future. I do not like to uncheck transaction codes in SE97.

Apart from these, is their any other ways to solve this.

Thanks in advance

Pranu

Answer:
Pranu

User menu vs Sap menu and restricting views of transaction ahve been discussed oin ths forum many times before. Usually in those discussions the question is asked "Why do you not want users to see transactions they are allowed to use? It does not add to security, so what is the purpose of hiding access?"

The display only status of S_TCODE has been disucssed a lot recently too. I'm not gonig to answer your question here, because the S_TCODE issue and the menu issue could both be answered by you using the search facility.
_________________
Sandi
~~~~

Apparently Father Christmas, the Easter Bunny, the Tooth Fairy and Star Wars aren't real


Answer:
"Why do you not want users to see transactions they are allowed to use? It does not add to security, so what is the purpose of hiding access?"

If you cannot trust your users enough to let them see the transactions they have access to, then your design should be changed to only give them the access that your risk profiling permits.
Security by obscurity is not proper security

S_TCODE is not in change mode

Question: Hi All

we are working on 4.7x1.10 SR1.

when we tried to add some transactions in Authorization object S_TCODE

it is showing us only in display mode rather it should be in change mode.

Is there any parameter that we need to add in 4.7 or what is the procedure to make S_TCODE as change mode?

pls help me out ........thanks in advance


Answer:
If you are using PFCG then the tcode needs to be added to the MENU not the authorization. If you are in SU02, Profiles created from PFCG cannot be changed in SU02

S_TCODE Lookup

Question: I need to be able to find all roles that have have a TCD value in S_TCODE of *.

How can I do that? Suim's logic seems to give all roles. I need the specific value to be a '*'.

Thanks for your help.

Answer:
Hi bluedevil,
I usually use SE16 on AGR_1251 table to get what you are looking for...

be sure about to use '=' single value selection option,
instead of '[*]' pattern selection option, in the tcode field.

hope this helps, regards.

S_TCODE with * Value

Question: Does anyone know the name of the report or how to find no standard Values such as ranges or * in the S_Tcode object. I think there is an SAP report but don't remember what it is.


Answer:
Look at report PFCG_AGRS_WITH_MANUAL_S_TCODE

Also use table AGR_TCODES and look for '*' by setting the selection option to "equals to" rather than blind entry of '*'

S_TRANSPRT versus S_CTS_ADMI

Question: We're trying to restrict rights to release transports (DTRA); one role has most activities for S_TRANSPRT but not 43 (release). However, one user with this role managed to release a transport. The same role has S_CTS_ADMI with activity * (all activities); is this effectively "overriding" the restrictions in S_TRANSPRT ?

Can't find any info on this elsewhere... tried SAP, SDN...

thanx...

Answer:
look into Su24 and Su21 and from there into the documentation, this will give the requested info

Answer:
The SAP documentation is (as often is the case) very opaque, to say the least. I think we have a decent idea of the relation between these objects, even though we haven't found a clear, logically structured explanation on exactly what are the limitations and interoperability of the two objects. Probably never will...

Answer:
Tronds,

I guess the generic problem here is that values were granted
for the activity field based on the principle "ALL - except (43)".
I advocate the 'need-to-have'.

Check whether activity 75 is in. This allows you to release
other users' objects.

S_USER_ALL

Question: Hi...

I am about to administrate users and roles on a SAP system. Previously I was always given SAP_ALL, but this time I wanted more adequate access rights. I therefore requested the profile S_USER_ALL (All Authorizations for user and authorization maintenance).

But... only to find out that it did not include any value for TDC (transaction code) or the authorization object S_USER_VAL (which gives access to change values in PFCG).

Anybody with experience in this ares

What profiles/roles are you guys using for user/role administration

Thanks for any reply


Answer:
Requirements will depend on your segregation of duties for user and role/profile adminsitration.

We developed our own and did not depend on the SAP provided Roles.

Assign your self SAP_ALL in a test client, set up a trace and run through your actions to see what auths and values you need.

SAP Auditor role/authorization

Question: Is there a SAP role for SAP auditor (internal control)? Is there a role to view the Implementation Guide customizing settings?

Answer:
Is there a SAP role for SAP auditor (internal control)? Is there a role to view the Implementation Guide customizing settings?

If you are still looking for the SAP delivered roles like S:A_SHOW etc, then rather go back to doing your accounting on paper.

SU53 Authorization Check

Question: If there is a message in SU53 saying "T-DV76526201 Exists in user buffer" for the role T-DV76526201, and then below I would find the list of the transaction codes affected, does that mean that there was an error or is it just an informational message?

Are all messages appearing in SU53 just error messages or even infomational messages?

Answer:
SU53 records the last authorisation failure for a user. The first block shows the system's authorisation requirement and the list below shows the authorisations present for that object for a particular user.

Answer:
I have seen the message you are talking about. The SU53 actually states something about an authorization existing in the user buffer but it still fails. I have found this is a throwback to pre-4.5 where the user must log off and back on again and it will usually work then. give it a shot.

Authorizations in sap

Access control in SAP is composed of several concepts:

  1. Program code that calls an authorization check using the authority-check statement. This will look something like:
    authority-check object id field

  2. Authorization fields (corresponding to the in the above code) that define a scope of possible values. Examples of authorization fields would be:
    ACTIVITY: defines the type of activity the user is doing with the data. Possible values are 'DISPLAY', 'MODIFY', 'DELETE', etc.

    COMPANY_CODE: possible values are any single value, or any range of values, or any combination thereof (such as '0438' and '0600' thru '1100')

  3. Authorization objects that define a group of fields. For example, an authorization object called 'CO_MDATA', containing our above fields ACTIVITY and COMPANY_CODE, might used to control access to the company master data tables.

  4. Authorizations, each of which belong to exactly one authorization object, that define authorization values (within the scopes defined by the authorization objects) to be granted to users. Note that an authorization is different from an authorization object!! Extending our previous examples, we might have an authorization, belonging to the authorization object 'CO_MDATA', called 'CO_MDATA_ALL', that grants all access to all company master data. Then 'CO_MDATA_ALL' would have the following values:

    FIELDVALUE
    ACTIVITY*
    COMPANY_CODE*

  5. Profiles, each of which may contain several authorizations or profiles. A simple profile contains a group of authorizations. A composite profile contains a group of profiles (simple or composite). [Profiles can be conceptualized as forming the structure of a tree, in which end nodes (leaves) are authorizations, and all other nodes are profiles. Simple profiles are nodes whose children are all end nodes, and composite profiles are nodes, other than end nodes, who have no end nodes for children.]

    Profiles are designed to define set or one or more functions or positions. For example, a functional profile might define all the authorizations that are required for doing a goods receipt, or for making a payment in the AP module. A position profile, on the other hand, might define all of the authorizations that are granted to an accountant, or to a warehouse supervisor. Often, a position profile is a composite profile consisting of several functional profiles.

  6. Users, to whom profiles are assigned. A user is assigned one or more profiles by the system administrator. These profiles define all of the user's system authorizations.
It sounds complicated, but once you start working with authorizations, it's pretty easy.

System Administration: Authorization Concepts

Authorizations
Access control in SAP is composed of several concepts:

1. Program code that calls an authorization check using the authority-check statement. This will look something like:

authority-check object id field

2. Authorization fields (corresponding to the in the above code) that define a scope of possible values. Examples of authorization fields would be:

ACTIVITY: defines the type of activity the user is doing with the data. Possible values are 'DISPLAY', 'MODIFY', 'DELETE', etc.


COMPANY_CODE: possible values are any single value, or any range of values, or any combination thereof (such as '0438' and '0600' thru '1100')

3. Authorization objects that define a group of fields. For example, an authorization object called 'CO_MDATA', containing our above fields ACTIVITY and COMPANY_CODE, might used to control access to the company master data tables.

4. Authorizations, each of which belong to exactly one authorization object, that define authorization values (within the scopes defined by the authorization objects) to be granted to users. Note that an authorization is different from an authorization object!! Extending our previous examples, we might have an authorization, belonging to the authorization object 'CO_MDATA', called 'CO_MDATA_ALL', that grants all access to all company master data. Then 'CO_MDATA_ALL' would have the following values:


FIELDVALUE
ACTIVITY*
COMPANY_CODE*

  1. Profiles, each of which may contain several authorizations or profiles. A simple profile contains a group of authorizations. A composite profile contains a group of profiles (simple or composite). [Profiles can be conceptualized as forming the structure of a tree, in which end nodes (leaves) are authorizations, and all other nodes are profiles. Simple profiles are nodes whose children are all end nodes, and composite profiles are nodes, other than end nodes, who have no end nodes for children.]

    Profiles are designed to define set or one or more functions or positions. For example, a functional profile might define all the authorizations that are required for doing a goods receipt, or for making a payment in the AP module. A position profile, on the other hand, might define all of the authorizations that are granted to an accountant, or to a warehouse supervisor. Often, a position profile is a composite profile consisting of several functional profiles.

  2. Users, to whom profiles are assigned. A user is assigned one or more profiles by the system administrator. These profiles define all of the user's system authorizations.
It sounds complicated, but once you start working with authorizations, it's pretty easy.

Authorization Checks

When a user starts a transaction, the system performs the following checks:

  • The system checks in table TSTC whether the transaction code is valid and whether the system administrator has locked the transaction.
  • The system then checks whether the user has authorization to start the transaction. The SAP system performs the authorization checks every time a user starts a transaction from the menu or by entering a command. Indirectly called transactions are not included in this authorization check. For more complex transactions, which call other transactions, there are additional authorization checks.
    • The authorization object S_TCODE (transaction start) contains the field TCD (transaction code). The user must have an authorization with a value for the selected transaction code.
    • If an additional authorization is entered using transaction SE93 for the transaction to be started, the user also requires the suitable defined authorization object (TSTA, table TSTCA).
      If you create a transaction in transaction SE93, you can assign an additional authorization to this transaction. This is useful, if you want to be able to protect a transaction with a separate authorization. If this is not the case, you should consider using other methods to protect the transaction (such as AUTHORITY-CHECK at program level).
  • The system checks whether the transaction code is assigned an authorization object. If so, a check is made that the user has authorization for this authorization object.
    The check is not performed in the following cases:
    • You have deactivated the check of the authorization objects for the transaction (with transaction SU24) using check indicators, that is, you have removed an authorization object entered using transaction SE93. You cannot deactivate the check for objects from the SAP NetWeaver and HR areas.
    • This can be useful, as a large number of authorization objects are often checked when transactions are executed, since the transaction calls other work areas in the background. In order for these checks to be executed successfully, the user in question must have the appropriate authorizations. This results in some users having more authorization than they strictly need. It also leads to an increased maintenance workload. You can therefore deactivate authorization checks of this type in a targeted manner using transaction SU24.
    • You have globally deactivated authorization objects for all transactions with transaction SU24 or transaction SU25.
    • So that the entries that you have made with transactions SU24 and SU25 become effective, you must set the profile parameter AUTH/NO_CHECK_IN_SOME_CASES to “Y” (using transaction RZ10).


All of the above checks must be successful so that the user can start the transaction. Otherwise, the transaction is not called and the system displays an appropriate message.

Checking Assignment of Authorization Groups to Tables
You can also assign authorization groups to tables to avoid users accessing tables using general access tools (such as transaction SE16). A user requires not only authorization to execute the tool, but must also have authorization to be permitted to access tables with the relevant group assignments. For this case, we deliver tables with predefined assignments to authorization groups. The assignments are defined in table TDDAT; the checked authorization object is S_TABU_DIS.

Authorization Check

The following actions are subject to authorization checks that are performed

before the start of a program or table maintenance and which the SAP

applications cannot avoid:

 Starting SAP transactions (authorization object S_TCODE)

 starting reports (authorization object S_PROGRAM)

 Calling RFC function modules (authorization object S_RFC)

 Table maintenance with generic tools (S_TABU_DIS)

The authorization objects S_TCODE, S_PROGRAM, S_RFC, and S_TABU_DIS

are standard SAP provided.

Creating a new authorization object is not in the scope of ABAP developer. It will

be taken care by SAP BASIS team.

What is authorization

Authorization is the process of giving someone permission to do or have something. In multi-user computer systems, a system administrator defines for the system which users are allowed access to the system and what privileges of use (such as access to which file directories, hours of access, amount of allocated storage space, and so forth). Assuming that someone has logged in to a computer operating system or application, the system or application may want to identify what resources the user can be given during this session. Thus, authorization is sometimes seen as both the preliminary setting up of permissions by a system adminstrator and the actual checking of the permission values that have been set up when a user is getting access.

auth/new_buffering

Question: Does anyone have any experience relating to performance impact of enabling/disabling the user buffer?

As of now, we have a system running with auth/new_buffering set to 4.
I have a feeling that not using the buffer may influence our performance, but it is hard to verify without running traces in the productive system?

If the buffering does indeed affect performance, will this effect be larger or smaller using structural authorizations?

I hope someone can help clarify the issue?

/Morten P. Koehler

Answer:
THe user buffer referenced in AUTH/New_buffering has nothing to do with structural authorizationsa as these are stored in a table ( if turned on) and only retreived if the user encounters a HR authorization check.

THe system impact from performance is based on logon time and the number of records SAP has to retreive from UST04 and UST10 and UST12. If you have a properly designed security it can be minimized but the use of composite and task oriented roles increase the records SAP must resolve at logon. It also impacts the size of the system you must have and the swap space you will need for processing if you have 1000's of records to store in memory. In either case the buffer exists, it has more to do with logon times.

The MAjor imact is opening up your system to a host of back doors id auth/new_buffering is > 0.

SAP's claim is a 4 must be used so you can change the users access without having them log off and back on, does not work 100% of the time.

Also the >0 setting is based on a table that are not in sync with the real security tables. SAP only syncs them once and if you do not sync them yourself ( you have to use the sync function module correctly or nothing happens) you are loading incorrect data and orphaned data.

Answer:
The symptom is "without connection to user". I.e. no logon time.

SAP also mentioned that we could also deactivate the buffering in the data-dictionary, but no client (with John's performance pre-requisities) has been willing to take the step to date. Would that (SE11) have an impact from any experiences?

Auditing Information System AIS

Auditing Information System (AIS)

SAP Audit Information System (AIS) serves as a centralized repository for reports, queries, and views of interest to auditors. It is designed to address the overall system configuration as well as SAP business processes and their related control features, providing audit and security practitioners with the critical information they need to conduct effective reviews of their SAP systems. SAP administrators can use AIS for security auditing. The AIS plays a supportive role in providing security services for SAP systems. The primary function of AIS is auditing but auditing features can derive the measures that help in developing the security policy for SAP systems.

Administration and Maintenance

A successful security set up of a SAP system concludes with proper management and administration of user IDs, password resetting, audit trails, audit logs, access control list, and personnel responsibilities.

Security administration in SAP includes maintenance of the overall SAP security environment using the SAP Profile Generator, creating user-level activity groups and creating user master records.

The concept of SAP security is flexible as well as complex. SAP has a multi-layered integrated framework. To ensure adequate protection, security measures must be factored into all layers of the SAP infrastructure. With client/server architecture, SAP systems include many components that exchange information, each of which constitutes a layer of the SAP security infrastructure. Security is often not a priority in an implementation and as a result, the default security is not strong. SAP security functionality could be enhanced using various measures as discussed above.

Enterprises must develop a security strategy to ensure a secure and functional SAP system. A business critical application like SAP needs continuous monitoring and improvement of its security features.

Content