Professional Documents
Culture Documents
You can find out about this by using transaction SU22. With transaction SU22, the
authorization objects of an application are assigned to an application and the default
values (for the profile generator (PFCG)) are managed.
ST01 -> authorization check. Note: the trace is not system-wide but only works on the instance
under which the trace was started! So: Login on to the same server on which the session of the
user to be traced is running! In the details of an authorization check in the trace (double-click),
there is also a reference to the program and the source code line in which the authorization
check was carried out.
Convert web pages and HTML files to PDF in your applications with the Pdfcrowd HTML to PDF API Printed with Pdfcrowd.com
In the evaluation: do not use asterisks in the field for the user ID, this does not work in the ST01
as you might expect. An indication of e.g. "ABC*" leads to the fact that the trace data is
evaluated for the user "ABC*" - and not for all users beginning with "ABC".
STAUTHTRACE: Extended version of ST01 for the trace of authorizations (from SAP_BASIS 7.00
SP26). As soon as it is valid according to SAP Note 1707841 (STAUTHTRACE: System-wide
trace evaluation), start the trace on appl. servers are also supported. If "Evaluate Extended
Passport" is checked, it also provides some useful statistical data, e.g. for RFC calls (calling
system/client, batch job, transaction name). Display of the trace data in an ALV grid, and jump to
the respective ABAP source code.
STUSOBTRACE: Setting the filters for the authorization trace (from SAP_BASIS 740?).
Dependent profile parameter: auth/authorization_trace.
STRFCTRACE (from SAP Note 2080378: Analysis of RFC communication, similar to the
function in "UCON" ("Unified
Connectivity", http://help.sap.com/saphelp_nw74/helpdata/de/ab/35e1c69f744d69a4fcf4ca93
284e0c/content.htm))
Brief description / delimitation of transactions SU22, SU24, SU25 (taken from the online
documentation on SU22):
Convert web pages and HTML files to PDF in your applications with the Pdfcrowd HTML to PDF API Printed with Pdfcrowd.com
the customer's role administrator can edit the
authorization values even further, e.g. to specify the
company code.
The SU25 is used for the initialization of the profile generator after the upgrade or initial
installation.
Transaction SU20
But then also think about the data elements and domains used!
A * entered in the field values for permissions causes any characteristics in the field to be
searched for. If you want to query for the overall authorization, #* must be entered (see
SAP Notes 1267608: SUIM| RSUSR030 Search by total authorization and 1259329:
SUIM| Search with the search pattern #**).
Convert web pages and HTML files to PDF in your applications with the Pdfcrowd HTML to PDF API Printed with Pdfcrowd.com
-> auth/no_check_in_some_cases profile parameter does not contain "Y". See SAP Note
416016: Profile Parameter auth/no_check_in_some_cases.
SAP Notes
-> indirect role assignment. By assigning users to a "position", they then also receive the
roles assigned to a position.
https://help.sap.com/saphelp_nw73/helpdata/de/58/9e563cf19bcb43e10000000a1140
5a/frameset.htm
The prerequisite is, among other things, an entry in Table PRGN_CUST (HR_ORG_ACTIVE
"YES").
Convert web pages and HTML files to PDF in your applications with the Pdfcrowd HTML to PDF API Printed with Pdfcrowd.com
REGENERATE_SAP_NEW for SAP_NEW
only via an add-on program from SAP Note 0313587: Mass Deletion of Activity Groups
Program PRGN_STATUS_ALL
Program PFCG_MASS_TRANSPORT
Transaction PFCGROLEDIST
SUIM -> comparisons -> roles (or transaction S_BCE_68001777 or program RSUSR050).
Convert web pages and HTML files to PDF in your applications with the Pdfcrowd HTML to PDF API Printed with Pdfcrowd.com
Transaction SE97 / Table TCDCOUPLES for authorization check Transaction call from
another transaction
ST03N -> switch to "Expert" -> select Appl server (not TOTAL!) -Select > time period -> in
the lower area "User and billing status." -> "User profile" -> double-click on user x
in SU01 in the command field (no matter which screen) enter "RSET"
or
or
or
The user buffer can also be reset for a single user: Specify SU56 > "Authorization Values"
> "Other User / Authorization Object" > User > "Authorization Values" > "Reset User
Buffer".
In releases < SAP_BASIS 750, there is a "hard" limit of 312 profiles that a user can have. If
this limit is exceeded, the user synchronization does not work (red lights).
The users who have such an overflow can be found via SE16 / Table USR04. The PROFS
field contains the assigned profiles, and the NRPRO field contains the number of bytes
used in the field. The profile name is 12 characters long, 2 additional bytes are required
for a change flag. So: (NRPRO - 2) / 12 = number of profiles. A value > 3740 indicates an
overflow in the user buffer.
Convert web pages and HTML files to PDF in your applications with the Pdfcrowd HTML to PDF API Printed with Pdfcrowd.com
SAP Notes on this:
This is because: SAP Note 816523: Abort when a user logs on: "No authorization"
PFCG_ORGFIELD_UPGRADE Profile Builder: Customization after upgrade for new org-level field
PFCG_SET_PROFILE_NAMERANGE set the number range for the name suggestion for profiles
Convert web pages and HTML files to PDF in your applications with the Pdfcrowd HTML to PDF API Printed with Pdfcrowd.com
PFCG_UPDATE_ALL_ROLES Regenerate all roles
In the "generic table access tools (transactions SE16, SE17, SM30, SM31, and SM34) and
all other applications that use the function module VIEW_AUTHORITY_CHECK for
authorization checking", S_TABU_DIS is first checked with the authorization group of the
table. If this authorization check fails, the authorization for S_TABU_NAM is then checked
with the table name. If this is successful, access to the table data is possible. In many
application programs, however, this methodology of authorization checking does not take
place, i.e. works for a user in transaction SE16, SM30, ... access to the table due to a lack
of authorization for S_TABU_DIS and existing authorization for S_TABU_NAM, it may be
denied access to the same table in the application programs.
In this context, it also makes sense: A parameter transaction for SM30 with the table
name, maintenance in SU24 for this parameter transaction.
Blocking a system against the import of user assignments from activity groups
If you want to block a system against the import of user assignments of activity groups,
you can specify this in the Customizing table PRGN_CUST (Maintenance with transaction
SM30). To do this, enter a line labeled USER_REL_IMPORT with a value of NO.
Convert web pages and HTML files to PDF in your applications with the Pdfcrowd HTML to PDF API Printed with Pdfcrowd.com
What are Security Guidelines / Security Policies?
FROM SAP_BASIS 731. The security policies replace a number of profile parameters with
regard to the definition of password rules, changes, and login restrictions. In SU01 (tab
"Logon data") you can assign users to a security policy. The security policies are
maintained in transaction SECPOL.
If no security policy is entered for a user, the rules are valid according to the profile
parameter.
Note: with the introduction of the security policies, the password rules are now also valid
for service users!
Documentation: https://help.sap.com/viewer/c6e6d078ab99452db94ed7b3b7bbcccf/7.
31.19/en-US/e9c15fb4c06340558898fda99d98cb0d.html
about the program ADBC_QUERY. Just enter the table name (DB connection name and database
schema can be left empty), then select columns if necessary, then you get the data of all clients
in the system.
Tables:
Convert web pages and HTML files to PDF in your applications with the Pdfcrowd HTML to PDF API Printed with Pdfcrowd.com
USRSTAMP timestamp for all changes to the user
CDHDR: OBJECTID = Username, and as usual, the related sentences in table CDPOS have the
same CHANGENR.
Have a nice day please let me know if anything missing in the SAP
authorizations.
Please connect and follow me for the next upcoming informative articles.
Cheers :)
Wow, Muhammad Arshad! Your extensive knowledge in SAP systems is truly impressive! Your willingness
to share your expertise on SAP authorizations shows your dedication to helping others in the industry.
Keep up the great work and thank you for being such a valuable resource to the SAP community!
#sapexpertise #sapsupport #sapcommunity
Like · Reply
Convert web pages and HTML files to PDF in your applications with the Pdfcrowd HTML to PDF API Printed with Pdfcrowd.com
How To Revert Transports S4HANA Security Set Up Parallel Landscape
or Tasks From Release to… Parameter Baseline… for Upgrades and…
Aug 27, 2023 Aug 23, 2023 Aug 22, 2023
See all
HOW TO DELETE DATA FROM THE SAP TABLE WITH THE FUNCTION MODULE
Muhammad Arshad · 1y
Convert web pages and HTML files to PDF in your applications with the Pdfcrowd HTML to PDF API Printed with Pdfcrowd.com
Muhammad Arshad · 1mo
Show more
How do you manage and maintain EDI data integration patterns in a dynamic and
complex environment?
How do you ensure your EDI software and tools work together?
How do you manage the risks and costs of EDI integration with your existing systems
and applications?
Show more
Explore topics
Sales
Convert web pages and HTML files to PDF in your applications with the Pdfcrowd HTML to PDF API Printed with Pdfcrowd.com
Marketing
Public Administration
Business Administration
HR Management
Engineering
Soft Skills
See All
Convert web pages and HTML files to PDF in your applications with the Pdfcrowd HTML to PDF API Printed with Pdfcrowd.com