Hi,
SM19 tcode is used to activate security audit. Through that you can have a log of User Login ,Logoff Failed attempt,Transaction start,Report start & system related log.That log you can view through t code.
There is no such T-code that record log related to MM module. You have to check individually i.e. For material master changes log ,you can view through MM02/MM03.For PO me23n/Me22n etc.
I mean to say ,you have to run individual tocde for viewing log.
Thanx
Thanks,
What if user John has Telephone number 1234 in system XYZ1 and in XYZ2 his telephone number has value 5678. Which number is pulled into the Central CUA?
Hi Lee,
Your solution has solved almost 70% of my Task. For Rest of the Transactions I need to put on a trace and find it manually.
Thank you!!.
Regards
Hi,
I want to merge the menu of two different PFCG single roles when they are assigned to the same user.
For e.g
Role A Role B
Menu A <-----------------------Merge------------------ >Menu B
Folder A<-----------------------Merge------------------ >Folder B
Application A Application B
When the two roles assigned to the user, it has to be like below:
Role A/B
Menu A/B
Folder A/B
Application A, Application B
I have worked out the similar solution for Portal roles using the role merging, but I could not find any such option for PFCG roles.
If anyone has come across the similar requirement please let me know how you have achieved it.
Thanks,
Balajii
We wanted to disable some "Generic Object Services" such as attachment list / create attachment. So certain users are not allowed to see the attachment. We achieved it using SGOS to Substitute standard service class with our own class. then use "CHECK_STATUS" method.
Now everything works fine. The set of users which are not supposed to see these attachments also involves developers. These users have access to debug mode and can change values at run time and change behavior of the class method.
So we remove authorization for changing variable values in debug mode. But this blank ban does not work as in certain cases they need to change values in debug mode.
Can some one advice if we can stop developers from changing values of variable in particular class method? or we need a redesign of our solution?
Hi Sai,
You can create a composite role RoleAB using transaction PFCG and assign the roles Role A and Role B in the roles tab, then click on save.
And in the Menu bar of this composite role you need to copy the menus by clicking on Read menu.
The menus of Role A and Role B will now be in a single composite role and this Composite role RoleAB can be assigned to the user, instead of assigning the single roles Role A and Role B.
Regards,
Laxman Gaddam
the data exisitning in the central system is kept then.
Thanks, but what if:
ACTVT 02 (change variables) supports the object name and package, but ACTVT 01 (system debugging) does not as those programs override almost everything and the calling program does not matter anymore.
But... if your developers need to permanently have debugging access to production then that is a different problem and you probably have much bigger ones than unauthorized display to GOS objects.
If this has been going on for a long time, then you probably have a big can of worms there... (in the organizational and change management sense...)
Cheers,
Julius
ps: Look to see who has object type FUGR with ACTVT 16 as well.
That is also the same as SAP_ALL actually as remote FMs don't check your authorizations and update FMs are not meant to check and auths.
In the same way, the debugger does not check application authorizations (such as changing account number or setting sy-subrc to 0 after failed checks.
In both cases you can control at the object name level, but you cannot effectively control at levels such as org. fields and document types etc.
--> Remove the dedugging from "normal" operational authorizations. Throw it over the fense into a controlled emergency use concept.
Cheers,
Julius
Hi,
they can also go straight to DB table using SE16 and get attachment from there. Right?
Honestly, that case when they really need to have access to change in debugger should be so rare that you can handle it as an exception. Whenever they need it they can submit a request and they will get it for limited time. As Julius said if they need it on daily basis then they are doing dodgy stuff.
The macros could not be debugged. So you could wrap your logic into macro and try to prevent easy change of sy-subrc with this technique. It seems that the new debugger allows macro debugging (I haven't tested it). So you can't try to use this trick anymore. Not that I would advice to use this trick.
I think every change of value in debugger gets logged in SM21 so I would have a look there how often it happens in production.
To summarize, a developer with allowed change in debugger is unstoppable.
Cheers
Hi Balaji,
What Laxman said was correct, you need to follow the composite role strategy, so you could have menu's of both the roles and also in the authorizations page you could see all the auth object values relating to both the roles.
Mj
Hi Bob
SU25 screen or table PRGN_STAT will show the last date the job was executed. Also, for the Step 2A entry for preparing table you will see if it's been run when the release number is same as current release.
Steps 2A automatically updates SU24 (USOBT_C and USOBX_C) where SAP via SU22 (USOBT and USOBX) has made a change but the customer has never maintained the transaction/application in SU24. I find the "prepares tables" is misleading as it is actually making changes to SU24 and not putting them in a transport for you to easily identify. If the contract ran this step you will see their User Id against changes in the USOBT_C/USOBX_C and USOBT_CD and USOBX_CD tables. This step will not require a transport.
Step 2B will show the rest of the transactions/applications where SAP did make a change in their SU22 but the customer has also maintained. In this case, the customer has to review each transaction and decide if they want to adopt SAP proposals. SU24 is embedded within the SU25 screen - if you make a change and press save you will be prompted to add this to a transport. Again, refer to same tables in SU24 for identifying changes. You should be able to rerun this step and see any transactions left to maintain (not sure if relying on PRGN_STAT timestamp).
For Step 2C, this relies on execution dates in the PRGN_STAT table. If you have rerun Step 2A you may no longer see impacted roles. The roles appear in this list if a transaction in Step 2A or 2B exists in the role menu. If you re-ran Step 2A you can either modify PRGN_STAT table and back date the data or execute program SU2X_COMPARE_ROLES_WITH_DEFLTS and back date to when contract left.
For the yellow authorisation status - AGR_FLAGS gets a setting for FORCE_MIX to identify the roles needs to be adjusted. If the contract ran SU25 their Id will most likely appear against that Id and most likely give you the full list.
As far as the SU24 goes - that link calls transaction SU24 and not other action is taken. It's just to provide a cockpit to maintain. Don't worry if the contractor clicked that link.
Message was edited by: Colleen Lee incomplete sentence - I find the "prepares tables" added:->is misleading as it is actually making changes to SU24 and not putting them in a transport for you to easily identify.
Hi,
I've get configured our NW Gateway system (NW 7.31) with external identity provider by SAML2, so our web apps (web dynpro and SAPUI5) are now accessible for people who don't have account in our SAP system, but have access to our other system (nonSAP). My question is how to read user name of this user authenticated and authorized on external server in ABAP code of our web apps?
Many thanks for answer Jiri.
Thanks Julius,
We are trying to achieve this in a test system not in production. In production we have controlled emergency use concept. There developers can have debug change authority only in case of emergency. But issue is that its a different team with different geographical location. They are allowed to have access to attachment services as well. We are not. When client is copied the attachments are also copied to test system 
.
Will explore more based on your suggestions.
thanks.
Mrugesh.
Hi Philip,
did you specifiy SAP/Kerberos<SID>@<DOMAIN>" literally or did you replace it to keep the info private.
If the latter, you at least forgot to hide the sid completely ;-)
In you case I would have expected to see something like
CN=SAP/KerberosEQ1@<YOUR_AD_DOMAIN>
To my knowledge a system uses the same service principle for all instances. However the config has to be created for each one, just as outlined in your document.
Regards,
Patrick
Hello Julius,
Thanks for leaving ball in my court. 
Yes its new requirement , let me explain clearly.
We have 3 type of users in SAP-HR.
1)HR Admin
2)Time Admin
3)Payroll Admin
here, we restricted the above users based on their PA's(Personnel Area's)
Ex: P_ORGIN
Authorization level : * (As per business requirement)
Infotype : (As per business requirement)
Personnel Area : 1002
Employee Group : *
Employee Subgroup : *
Subtype : *
Organizational Key : * ( and this is same as PSA)
Note: Org Key value and PSA value is same in my System.
As of now in my system the above format existed and for ex: one payroll admin can see other employee details under his Personal Area. I meant to say here org Key = *, so one PSA person can see another PSA person details, to avoid this we can put here PSA name instead of " * ".
In my organization there is no Structural authorization concept.
Kindly let me know if you are looking more on the same. I really appreciate if any prompt responses. Thanks.
Hi Neuzil,
what do you mean by user name? The sy-uname gets filled just as with every other authentication method.
Regards,
Patrick
Dear colleagues,
we have a CUA model with two child systems for two companies. Company address is specific for each system because each company has its own system.
So I have set up standard address in parent system and standard addresses in both child systems, synchronized and so on.
Settings of SCUM for Company is Local.
Now I would expect that when I create a new user in parent system then standard address is assigned but not distributed to child system - there should be assigned child system specific company address. But CUA distributes the parent system standard address into child system and user is created in child system with standard address from parent system.
My questions are:
We run on SAP_BASIS 731 SP5.
thanks in advance
Igor
Hi,
I assume that you have one service user that is used to execute gateway services and you map every external user to this user. I don't think that you will be able to get original user. I am not sure even if identity provider passes this info to service provider. I guess it issues authentication token for your service user only.
Cheers
Hi,
thanks for reply. I think in sy-uname will be some default communication user, but I need user name used for authentication on nonSAP portal. Scenario:
WD App on Gateway -> user click on logon -> redirected by SAML2 to nonSAP portal -> user log in by user name and password existing in nonSAP system -> redirected back and logged in to WD app on Gateway: I need the user name which user used for logging to nonSAP system.
Thx Jiri