Hi Nagaraju,
Than to make it complex, I think it is better to create a new role of required T-codes and add that role in the complex role.
Regards
Sudhir Sadhu
↧
Re: create single role copy of composite role in sap security
↧
Re: create single role copy of composite role in sap security
Hi Nagraju,
I Do agree with above.
As per your requirement create a new role for the required transactions..
Regards
Naveen
↧
↧
Is it possible to exclude selected user ids from a CUA system?
I want to exclude couple of user ids from CUA system and those ids need to be maintained locally in respective child systems.
Please let me know if there is any possibility for doing this?
↧
Re: Is it possible to exclude selected user ids from a CUA system?
No, once CUA is active the create/change button in SU01 is disabled in child system.
↧
Re: Is it possible to exclude selected user ids from a CUA system?
Thanks Sunil.
↧
↧
Audit Trail for T-Codes
Good Morning,
I would like to know what T-Code or Table would allow me to search by date for any End-User who used a specific T-Code say like EA24? Also, would this T-Code allow me to view the Contract Account number or Billing Document that EA24 was performed on?
↧
Re: Quick question about SAP Security analyst responsibilities
Great news. 
↧
Re: Is it possible to exclude selected user ids from a CUA system?
NO, users can not excluded from CUA administration , however, functions in su01 you can maintain locally or globally for all the users.
Cheers
↧
Re: create single role copy of composite role in sap security
Hi Nagraju
As mentioned by Sudhir & Naveen you will have to create a new role.
This can be done in two steps.
Step 1 Menu creation
You need to add the transactions from the 30 old roles to the new role (wait with the new transaction until step 2 is done)
In the menu of the new role you can import the menu/transaction from the 30 single roles to new single role
If the menu is not on the composite role then pick the menus up from the single roles to the composite role and import the menus. You can now use the old composite role to copy from.
select the menu/ transactions needed for the new roles menu and transfer them..
Step 2 Authorization generation
If the SU24 is correct you only need to generate the roles authorizations and add the organisational levels.
OK if this is not the case then you need to import the profiles from the single roles into the new role.
Go into the authorization tab and start with change authorizations
Here you have the option for inserting authorizations from existing profiles related to the single roles.
It's still a job to be done, but far from as long as comparing authorizations objects in 30 roles manually in cut&paste mode.
When the role's authorization is generated you can add the new transactions you mentioned and see what SU24 suggest when changing the authorizations again.
Enjoy :-)
BR Niels Knuzen
↧
↧
Regarding SUIM Transaction code
Dear Friend,
Apology if I am asking a wrong question in a wrong place.
Issue-->In "COMPLEX SEARCH CRITERIA" field in SUIM transaction code if we enter a role by default it is giving the end date of that role as 31.12.9999 even if the user role already expired in 01.01.2014 which we can see in Transaction code SU01.
Appreciate if anyone help me out ,if there is any other possible way to search in SUIM Tcode which helps me to see the exact date of the expiry for a particular role or is there any other Transaction code where I can see the exact expiry date of a role.
Thank you very much in advance.
Regards
Mrutyunjaya Tripathy
↧
Re: Regarding SUIM Transaction code
What is the value reflected in AGR_USERS...? Secondly check what do you see in USR02...?
Nabheet
↧
Re: Regarding SUIM Transaction code
Hi,
Yah You are right! unable to view the role valid and end dates 
May be we can check table level!
However check the same, if not use the table AGR_USERS
double click - check the details
↧
Security Audit Log is not active (0170)
Hi guys,
I am configure "Security Optimization Service Analysis" in solution manager.
In the report section 6.1.8 Security Audit Log is not active (0170) I get the next messages:
Evaluated Risk - High
Recommendation to customize the Security Audit Log.
Settings:
·,,Activate the profile parameter rsau/enable.
·,,Set the profile parameter rsau/selection_slots to its maximum value of 10.
·,,Activate the profile parameter rsau/user_selection
Filter:
·,,Use one filter to log critical events for all users in all clients.
·,,Use other filters to log everything for critical users such as SAP* and support users, including FireFighter users.
·,,Use the remaining filters to log events in special cases.
All settings of profile parameter and filter already exist.
For configuration used this link http://scn.sap.com/thread/3298688
Any body knows what else you need to configure that a report would not show the risks of paragraph 6.1.8?
↧
↧
Re: Security Audit Log is not active (0170)
Hi Mikhail
that topic looks perfect! If you've applied all settings , you just need to make SOS repeat the service collection data and the message should disappear
Regards
a
↧
Re: Security Audit Log is not active (0170)
Hi Andrea,
I did collection data with trx st14
With these parameters:
- BS List personal data (N/Y) | Y
- BS List profiles (N/Y) | Y
- BS User for SAPNet R/3 Frontend | <SAP_UserID> - my s-user.
and send to my solman.
Also I did all steps in solman, but result the same.
↧
Re: Security Audit Log is not active (0170)
weird
can you paste here screenshots of your static/dynamic config in sm19 and results of rsparam spool?
↧
Re: Security Audit Log is not active (0170)
Hi Mikhail
Did u activate the profile (CTRL+F3) ??
Cheers
↧
↧
Re: Regarding SUIM Transaction code
Hi,
This is a program error. Refer SAP note - 1674178 - SUIM RSUSR040 incorrect results when searching for a field. If you are on a old SP level, ensure to update it.
Regards,
Raghu Boddu
↧
Re: create single role copy of composite role in sap security
Hi Niels,
The option # 2 might not be appropriate as it doesn't get the role menus when you include profiles. So I still recommend option # 1, and while maintaining authorizations, the values can be validated with the AGR_1251 and AGR_1252 tables.
These two SAP Notes might be useful to address issues while importing the menus:
679050 - PFCG: Merging and combining authorizations
1486866 - PFCG: Error when merging composite role menus
Regards,
Raghu Boddu
↧
Re: create single role copy of composite role in sap security
Hi Raghu
It is not two options I described.
You must not separate the two steps from each other.
BR
Niels Knuzen
↧