Real time secnerios on sap security.pdf

Q. I am creating a role for IMG customizing. SU53 is asking for other t-codes as authorization values for S_TCODE when I hit hit a failure. I do not want the status of the the traffic light to change to “CHANGED” by adding the T-CODE directly to S_TCODE. Any input? A. The status of the traffic lights will always be CHANGED if you change the proposed values. You can add the values to a manually added instance of S_TCODE if that helps. Also are you used the concept of “Customizing Roles” used used for IMG config? Those might also help. Q. One thing to note here, that once you specify a parent role, there is no way to delete the relationshi relationship. p. You would need to delete and re-create re-create the child? child? However, However, I created created a master role and derived a child role from it and then deleted the relationship successfully through the button “Delete Inheritance Relationship”. But once i removed the relationship it cannot be reestablished between the same master and child role. role. Could you please help me in understanding your lines? A. You are right and my words in the post were confusing. As you mentioned, you can indeed delete the relationship. Right now I am not sure what I exactly meant by my words. I might have meant that if you want to create a role as a child, you would need to create the relationship right at the very beginning. You cannot add a parent if the role role already has t-codes added in it it menu. Anyway, I just deleted the line you quoted as it was giving wrong information. Q. Can you please tell me how to assign or delete single transactional code from multiple roles using e-catt script? A. You would have to add or remove one t-code at a time and then save the role and get out of PFCG. Think of the series of steps that you would be doing to complete these series of action. Q. “Even now, it’s technically technically feasible feasible to directly directly modify authorizat authorization ion profiles profiles but is strongly discouraged from SAP”, Can you tell me what the dangers of this are? There were occasions when investigating what role I should assign to a user who could only state what transaction code they needed, that I would initially not find it in a role using the transaction code search on S_BCE_68001425, but if I searched via Auth Object S_TCODE on ‘Selection according to authorization values’, I would find the transaction had been directly assigned to the profile? A. For quite a few years now SAP has advocated maintaining roles instead of profiles. Maintaining of roles is much simpler when SAP is doing lifting and generating the profiles. Profile Profile assignments assignments also cannot be end dated. So you can get profiles to expire.S_BCE_68001425 is the report for displaying roles. Anything you pull up through it is a role and not a profile. The S_TCODE results just mean that some roles have t-codes maintained at the object level rather than in the menu. This is not the same as maintaining profiles directly.

Q. I want to give one role for 5 users that contains two transaction codes but i want to restrict one user to access only one transaction code by giving the same role how do i do that? Could you  please help me? A. Is this is an interview question? Unfortunately a lot of the times interviewers ask questions which are either not applicable in real life or are example of rank bad design. So I cannot help you on on this one. A role should should be consider considered ed to be a container container of of permission permissionss (tcodes/authorization objects/etc) which is mapped to a set of actions that a user would be  performing in the SAP system. If a person needs a different set of permissions he should be mapped to a different role. Q. Need to do SAP HR automatic assignment of roles to users according to a staff position. When applying for a job. Are there any ready-made solutions that need revision or Z? A. As far as I understand the question, you want to assign assign a particular role to users who apply for a particular job? At this point I don’t remember how SAP represents the event of applying for a  job. If it’s via a OM relationship, you can use assign the role to the job object, and update the US_ACTGR evaluation path to look for the relationship during running the user compare for indirect org assignment. There is another post on the site which talks at length on the entire concept of “indirect role assignment via OM structure”. Q. Could you please suggest some good role naming conventions for single roles and composite roles? A. No client I worked on used remotely similar naming convention. You are free to use any convention that makes sense to you. Letter codes identifying functional area, composite-single, derived-master, display or change activities, organizational levels are commonly included in the name. Q. while using su01, when we assign any role and press enter profiles profiles are automatically called in Profile tab. But if I assign all profiles related to one role and press enter, why role tab is not getting updated? If I assign profiles only, will user get access? If yes then what is the exact advantage of role assignment? A. Maintaining roles through PFCG is much simpler than directly modifying profiles. You can assign roles with validity dates but not profiles. Q. there is Z transaction for a z program and the object related to this program is maintained in SU24. But the interviewer told me that the user who is assigned with z transaction role doesn’t contain the object related to that. But still the user is able to execute the t-code. I asked him if the  pfcg automatically pulled the object from SU24, the he told he has deactivated the object but still

Q. I want to give one role for 5 users that contains two transaction codes but i want to restrict one user to access only one transaction code by giving the same role how do i do that? Could you  please help me? A. Is this is an interview question? Unfortunately a lot of the times interviewers ask questions which are either not applicable in real life or are example of rank bad design. So I cannot help you on on this one. A role should should be consider considered ed to be a container container of of permission permissionss (tcodes/authorization objects/etc) which is mapped to a set of actions that a user would be  performing in the SAP system. If a person needs a different set of permissions he should be mapped to a different role. Q. Need to do SAP HR automatic assignment of roles to users according to a staff position. When applying for a job. Are there any ready-made solutions that need revision or Z? A. As far as I understand the question, you want to assign assign a particular role to users who apply for a particular job? At this point I don’t remember how SAP represents the event of applying for a  job. If it’s via a OM relationship, you can use assign the role to the job object, and update the US_ACTGR evaluation path to look for the relationship during running the user compare for indirect org assignment. There is another post on the site which talks at length on the entire concept of “indirect role assignment via OM structure”. Q. Could you please suggest some good role naming conventions for single roles and composite roles? A. No client I worked on used remotely similar naming convention. You are free to use any convention that makes sense to you. Letter codes identifying functional area, composite-single, derived-master, display or change activities, organizational levels are commonly included in the name. Q. while using su01, when we assign any role and press enter profiles profiles are automatically called in Profile tab. But if I assign all profiles related to one role and press enter, why role tab is not getting updated? If I assign profiles only, will user get access? If yes then what is the exact advantage of role assignment? A. Maintaining roles through PFCG is much simpler than directly modifying profiles. You can assign roles with validity dates but not profiles. Q. there is Z transaction for a z program and the object related to this program is maintained in SU24. But the interviewer told me that the user who is assigned with z transaction role doesn’t contain the object related to that. But still the user is able to execute the t-code. I asked him if the  pfcg automatically pulled the object from SU24, the he told he has deactivated the object but still

user is able to execute the t-code successfully successfully without any error. How is is this possible? Can you explain? A. There was no authority-check statement for the object in the code for the z program. SU24 by itself doesn’t help to check an object during program execution. Q. supposes if I want to give authorizations to 2 company codes, sales organizations. In this case where I have to give these two? In org.levels or in authorizations? A. Since these are org levels, I would suggest updating them in the org level section. This way any object using these fields will automatically pick the org level values. Q. Organizational Levels… do they get added to roles because of the transaction and/or objects added? If I were to remove objects and auths from a role, would I also be removing Org Levels from it? it? I guess I do not understand understand the relation relation between between roles roles and Org Levels, Levels, and how they appear on some roles? A. All Org Levels are also authorization fields in at least one authorization object. So if you remove an auth object from a role which contains an org level field (either by deleting the object or removing the t-code which had pulled it in the first place), you would be impact the org level list as well. In In such a case, if the role doesn’t have any more objects with the particular org level level field, you will no longer see it in the org level list inside the role. Q. there is one one more sub type under under org level: level: Account type type can you explain explain about it? A. There are quite a few org levels in the SAP system. Different clients also configure org levels according to their security requirements. I would suggest use the field technical help (button F1) and try what you can find. Q. Do you know in which table I can find find the text description of org level fields? For ex. I know WERKS is for plants. Similarly I need to find description for some more org levels? A. Please refer to the tables USORG and USVAR. They have the data you need. Q. how can we figure out what company codes, plants or etc exist in the system to assign in the role in a reference to functional modules such as FICO, MM, PP, SD. and if I assign a company code with a plant value to org field would the user only able to access to that particular plant or  plants in such company code? OR we have to do something else here to restrict a user. A. Check the assignment assignment of org levels levels under SPRO. The nodes nodes under enterprise enterprise structure structure > definition definition and assignment assignment tells tells about the different different values of org levels created created and the assignments between them. Ideally this information should come from your functional team as they are responsible for building the enterprise structure of the the company.

Q. Recently I created a parent role, Added an auth object manually which pulled Plant and ACTVT, as the auth field Plant was an Org Level too. I maintained the Org Levels as they were Red and set the value of Plant as *, immediately the value * was filled for auth field Plant and everything was green and I saved and Generated and clicked on push button for values to be inherited to the entire child. In my exp, previously too..I have done this exercise; I used to change all the child roles for their org levels. And immediately I got into edit mode in PFCG Authorizations. Org Levels dialog used to pop up EMPTY for me to define org levels values for say plant, company code etc. As per relevance, I used to maintain specific org level value and not * But this time, Nothing was Red in the child role, rather when I checked the Org Levels, It had also inherited * value for Plant, Company Code. I was surprised. Coz I never saw such behaviour of Inheriting * in org levels in child role too…. I am very sure that in Parent I maintained Org levels as * not the manually added auth object  plant as *…. I also tried reproducing the same case in test roles, and again in child, org levels very automatically inherited as *. The main relevance/difference of org level concept is that we can set org levels in child role and rest auth objects is inherited from parent.. A. For an org level which is not maintained with any values at the child/derived role level, values will be copied from the parent role when you try to push the values from it. Q. Is there any way to search a existing role via organization level? A. I have trouble understanding the question. The AGR_1252 table gives the org level values mapped to roles if this is what you need. Q. Is there a report that details Org Levels by role that can be used to check build? A. you don’t need a report. Just use the table agr_1252 Q. Is org. level mightier than the fields of auth. objects? Ex.: I define Company Code in auth. object field 4711, but define the company code under org. level “*”, which one overrides whom? Is it something like “Central govt. law breaks the law of a state govt. In our case, org. level  breaks the auth. field? ‘Will be pleased for your position? A. The company code value defined at auth level will prevail and regarding other auth values for same company code which are unmaintained at auth level will fetch data from Org level. But maintaining the company code at auth level in parent role will cause all the derived roles to inherit the same for that particular object irrespective of the org level values of the derived roles. Q. let me know the reason for not adding the ACTVT as a org level? I think, it’s because, any tCode addition will come with S_tode object by default? A. Changing ACTVT to a org level would mean that all activity values in a role will have the same values. That doesn’t make sense at all.

Q. How can you change org level to field level? A. SAP provides a standard program PFCG_ORGFIELD_DELETE for this purpose. But be very careful before you use this program. Q. Restrict user access to Site/Plant data based upon certain criteria. Let’s just say the user has a  parameter in a custom table. This is their assigned Plant/Site. They should only be able to access this Plants data. The Role I am using is SAP_PM_WOC_ORDER_PROCESS with specifically the Auth Object I_SWERK. I guess I want the place I also put my code to validate the plant also. We have not implemented an org structure and have no plans to do so? A. SAP’s way to implement this is being using the org levels within roles. So that you can maintain the restricted value of the plant in the user’s role and as long as the transaction under question actually checks I_SWERK, you are all set. Q. Can org fields can be converted to normal field? If yes how do we handle it? A. Search for ORGFIELD* in SA38. Q. We have around 4000 Profit centers in our organization. Client requires authorizations based on Profit centers only. Please let me know if creating RESPAREA as an Org Filed thru PFCG_Orgfield_create is better option or creating a new role with auth object K_PCA only with required restrictions and attaching it to the users along with other roles is best practice for maintenance purpose in long run? A. The answer would depend on how many separate groupings of cost centers and business roles that you would need. Also, do you expect requirements to keep changing even after initial build. Also would a single role have same level of access to all the cost centers it would have access to? My thoughts would be to promote RESPAREA to an org level as it sounds like one in how your enterprise structure. However, even after conversion to an org level, this field poses its own challenges. Q. Suppose there is a role change, for EG: Maintaining plant values & company codes restriction or addition. How a developer will know whether to change Org level values or else to change the values in a particular object (means Activity) because same Plant & Company codes also exist in Auth Objects. Please could you brief on this aspect? A. good coding practice dictate never to hard code field values in your programs but always use variables. Q. I have a situation in my current Project- This is a small data cleanup Project. As this organization is separated from a big enterprise, In the new system remains many unused Org

levels existing from the older parent organization .Now the task is to remove these unused org levels from the system. From security side there are few tasks. 1. Kindly let me know -how to remove the unused org levels from the roles and users? 2. Kindly let me know- how to remove the unused org levels and authorization fields from the system, tables etc? 3. Kindly let me know how to differentiate or list the unused and used org levels from the system?

I will be waiting for your reply every minute from now. You are my life saver. Please explain me how to proceed this small project as I am totally new and have a huge responsibility on me to take up forward. After reading your post I have got good hope that you will help me. Ultimate task is the security person should restrict view for all identified purchasing organizations/sales organization/storage location in the development client? A. What you just mentioned is a small consulting project and not just for security. It will be a collaborative effort between the business owners who identify the obsolete org values, the functional team who update the config entries in SPRO and finally the security analyst who remove obsolete org values from roles. Q. How to find who and when a field got promoted or demoted to Org field, any such tables exist in SAP BW system? A. You can check for the table logs for USORG and USVAR in case you have table logging active in your SAP environment. Q. What happens when we manually add an Auth Object to a role? Why is it not recommended  by SAP? A. Manually adding an auth object is certainly possible but discouraged as there is no trace about why the object was added. The better option is to update SU24 entry for the transaction which would need the object and pull these into the role through expert mode generation. Q. What do you mean saying *SAP doesn’t pull the object during authorization maintenance in PFCG if the t-code is added to the role* and what is the impact of not doing so..? A. I was trying to explain the impact of the different check indicators for a t-code while adding it to a role. For a object maintained as Check Ind – Check, Proposal – No, the object will not be inserted into the authorizations for the role even if this t-code is added to the role. Hope this helps. Q. Discussing about the tables USOBT and USOBX. I was wondering what the difference  between these two tables is. When I checked these tables in the system, I see that USOBT table has additional columns like authorization field and authorization value when compared against

USOBX table. Is that the only difference that USOBT also has additional columns giving more details about the objects of the t-code? Could you elaborate your thoughts on it? A. Open the SU22 entry for a particular t-code and also display the entries for this same t-code in the two tables. you will get your answer. One of the USOB tables stores the check indicators while the other stores the default values for objects. Q. adding a check in Su24 will have no impact to security unless the code is modified as well to include a check for the authorization object? A. you create your own ABAP report ZREPORT_TEST to display FI data and create a t-code ZREP to call the program. You get a requirement that only people with activity of 03 (display) for the authorization object F_BKPF_BUK can run the report for the company code values maintained in the role. To achieve this it won’t be enough to add F_BKPF_BUK in the SU24 entry for ZREP. You would also need to add an authority-check statement in the code to actually check for the object. Hope this makes sense! Q. How SAP system treats check indicator “C” maintained in SU24 while working with actual functionality through transaction(Example : SU01 here)? Supportive conditions: (C : Will not be available in PFCG for maintenance) (CM : Will be available in PFCG for maintenance) (Authority Checks are coded in program as per SAP standard (We will consider standard transaction SU01 for this discussion)) Scenario: User: ZUSER  Role Assigned to user with values inside: Z_ABC T-CODE: SU01 Objects: S_USER* Transaction: SU01 has many objects linked with “CM” (Example: S_USER*) and many with “C” (Example: S_DEVELOP). So could you please explain when exactly system checks S_DEVELOP for user ZUSER when this user will be working with SU01? and if it does somewhere and it passes the user with functionality (without stopping user to go ahead)with even failure as user does not have S_DEVELOP, what is the difference in maintaining them with “check” or “No check” in SU24 (Is it not more convenient to simply having objects which are with “CM”/maintainable in pfcg in SU24)? A. A few things to keep in mind for all SAP default check entries as seen in Su24.The check entry defaults are certainly not set in stone. SAP can and often does make mistakes in their default values which users are supposed to catch and modify according to their needs. The check indicators are meant for ease of maintenance when adding the t-codes to the roles. Unless a underlying check for the corresponding authorization object is present in the ABAP code for the t-code, no amount of fiddling with the check indicators is going to help. The only exception

to the above rule is to mark an object as do not check. An object marked as do not check will not  be needed by the user even if there is an “authority-check” for it in the program. Finally the difference between check (C) and check/maintain (C/M). SAP sets an object as C/M if these objects are checked in the code and hence needed by the user while executing the basic functionality of the t-code, for example the S_USER* objects present for SU01. The objects marked as checked (C) are ones which might be checked while executing some of the more uncommon menu paths for the t-code. For example, SU01 has a check for PLOG. However, this object will only be checked if you are trying to use PFCG for indirect role assignment through Org Management. Hopefully I have been successful in clearing your doubts. Personally, I consider SU24 to one of the bed rocks on which the subsequent administration of security is based. So it’s very important that every one of us, security consultants have a solid understanding of each of the different settings in it. Q. what’s the process when we decide to not check/maintain for an existing authorization object? Does someone have to go back to the code and remove the authority check statements? Or does it not matter for deactivation? A. Since we are talking mostly about standard t-codes and standard objects, there is really not an option of removing authority-checks at the code level without a core mod. However, you can selectively switch of the checks for non Basis and HR objects. To switch off the authority checks, you need to set the check indicator value for the object to do not check. Q. what happens when we put status of an authorization object as No Check, but in program it is checked through Authority_Check statement? A. When an auth objects is marked as do not Check in SU24, this will actually over-ride the authority-check statement. The authority-check statement is still executed like any other statement but the sy-subrc value is returned as 0 (zero) even if user doesn’t have the object in the user buffer. Please note that you cannot set HR and Basis objects to do not check. Q. In su24 T-code. For example if a user is having an access of su53 t-code (access of authorization objects like S_DEVLOP, S_USER_GRP, and S_USER_AGR & S_USER_AUTus for). So I have changed the check status to NO for authorization object S_DEVLOP. So after changing the status also user is having access of S_DEVLOP. What could be the reason? Why user is getting access. What are the steps we need to do after changing the check status for objects? A. Maintaining SU24 and maintaining authorization values in roles are two very different things. Don’t confuse the two together. Q. I have the following question about the USOBX_C table: If a custom transaction ZNEW is created and the developer includes an authority check on let’s say F_BKPF_BUK, what happens

if you do not make a new entry in the USOBX_C table with SU24? When the program checks the USOBX_C table and finds nothing, does it check on the built in auth object by default? If so, that would mean that you could decide to not transport the SU24 changes to production if you never change anything in the check indicators but only add custom transactions with their objects for role building purposes (and role maintenance is only done on development). Correct? A. The check indicators in SU24 (USOB tables) are only meant to help with role maintenance. If there is an authority check at the program level, the object would need to be present in the user  buffer for a successful execution of the program. The only exception to this rule is when you add an object as do not check in SU24. In such a case, the SU24 entry will override the authority check at code level. Q. Is it possible to use custom t-codes without maintaining them in SU24? Is it mandatory to maintain custom t-codes in su24? If YES—-ok  If NO—–where can we see the authorization objects associated with those custom t-codes ” other than se93 ? ″

A. You only should think of updating SU24 for custom t-codes when the underlying program checks for the objects. Otherwise updating Su24 wouldn’t make sense. Q. In a new implementation SCM system – I see that the SU25 steps don’t have any execution dates in Step 2a, 2b 2c & 2d. However, the customer tables USOBX_C & USOBT_T are already having values. I thought these tables should be empty and will be filled up only after I execute those steps. The number of entries in USOBT is 35,333 whereas the number of entries in USOBT_C has only 34,912. 1. Why do we have values in USOB*_C tables when SU25 steps have not been run yet? 2. Should I run these steps for new implementation? A. For a new installation, you should only need to execute step 1 – “Initially fill the customer tables”. This is the step which pulls data into USOB*_C tables. Are you sure no one has this yet? The fact that there is already data in the USOB*_C tables seems to indicate so. The difference in number can also be explained if some support packs were installed after running Step1. I think you can Step 1 again if you want to do sync with the current SAP delivered data. You don’t need to run the rest of the steps. Remember that in future upgrades, you don’t run Step 1 but start with Step 2 onwards. Q. Since I cannot show you the SU25 screen shot here i am writing down the screen prints. Installing the Profile Generator 00:00:00 1. Initially Fill the Customer Tables 05/10/2010 17:43:48 DDIC ————————  Post process the Settings after Upgrading to a Higher Release 2A. Preparation: Compare with SAP values 10/17/2005 17:32:31 DDIC 2B. Compare Affected Transactions ____00.00.00 _____ 

2C. Roles to be Checked _________00.00.00 ________  2D. Display Changed Transaction Codes ___ 00.00.00 ________  Transport Conn. 3. Transport the Customer Tables_____00.00.00 ________  Since the dates are showing as old 2010 & 2005 – IS it possible they are having old T-codes and authorizations and thus it becomes imperative to run SU25? A. In a fresh installation, the only thing to ensure is to check that the client tables are filled up. Rests of steps are not needed. I would think just running step 1 would work for you. However, if you want to go ahead and run the rest of them its fine too. Just make sure that you do this in a  pre-production environment, generate the affected roles and transport the new SU24 entries once you are done. Q. which is there any way to mass upload the users? A. LSMW, SECATT, BAPIs Q. How does report RSU22DOWN helps in going back to earlier version? I ran this program in my system and? I get nothing as an output? A. RSU22DOWN program is meant to download the SU24 tables to a text file. If it’s not downloading you might not be following the correct steps. Does a web search? The SAP help article on how to use the program is in the first few search entries. Q. roles need to be generated which are showing in RED status before transporting? A. You should not transport roles with unmaintained values for authorization objects. So just ensuring that roles are green won’t be enough as a role with unmaintained values can still be generated. Q. I have executed tc.de Su25 Step 2A to 2D in ECC 6.0 system and then remediated the affected roles with user assignment generated from Step 2C in DEV box. Now the client says do not transport the changes i.e., Step-3 but transport the affected roles in QA system. My question is will the remediated roles work in QA system without the customer table? A. The customer tables need to be transported as well. Otherwise the full impact of the SU25 changes will not be experienced in QA or Prod environments. Q. Two questions regarding step 3. In ecc system we changed su24 table manually and moved the changes to quality but did not use step 3.Quality testing is almost completed should I transport changes through step 3 and if done it will impact in quality? Scenario-2 BW system no changes in su24 so did not moved to quality. Testing in quality is completed should I move the changes through step 3?

A. If already moved the custom tables manually, re-transporting them through SU25 is not necessary. You can verify that the latest changes are in QA by comparing the table values from DEV. Q. SU25 step2A. Would you happen to know if step 2A transfers data? After executing step 2A, it looks as though the data was altered in tables USOBT_C and USOBX_C. After doing some research, I thought 2A just compared the tables USOBX and USOBT with USOBX_C and USOBT_C. Any input would be appreciated? A. Step 2A is not a read only step but does write data into the custom tables. If after running the comparison between standard and custom table values, if SAP determines that there is a conflict only then are these are displayed in 2B, otherwise the updates occur in 2A. This post talks at length on what’s happening behind the scenes. Q. Explain the user buffer and the t code to access the buffer. Do we have role buffer as well in SAP? A. The user buffer stores the authorizations assigned to a particular user. The transaction to view your user buffer is SU56. I have not come across the term “role buffer”. Q. how to clear the SU53 i.e. if the user is facing an error and provided su53,how can we know which error the user is facing and how can we clear it? Could you please explain me with an example? A. the SU53 transaction by design only shows the last authorization check failure for a user. If you suspect that there might be multiple authorization failures for a single transaction, please use the security traces (t-code ST01) for the user under test. It will give you a list of authority checks faced by the user and can be used to troubleshoot complicated security scenarios. Q. I have a problem in SU53 screen shot checking ,means after getting su53 screen shot from customer what we need to check in that and what we need to find the solution on that screen shot. For Example I am upload one screen shot Evaluation of Last Failed Authorization Check of User LSUWESTJ Description Authorization values  ———————————————————————————————————————  User Name LSUWESTJ Authorization Object V_KNA1_VKO System ECP Client 500 Date 23.09.2011 Time 10:31:07 Instance pfecpa3 Profile Parameter auth/new buffering 4  ———————————————————————————————– 

Authorization check failed Object Class SD Sales and Distribution Authorization Obj. V_KNA1_VKO Customer: Authorization for Sales Organizations Authorization Field ACTVT Activity 01 Authorization Field SPART Division 81 Authorization Field VKORG Sales Organization 8000 Authorization Field VTWEG Distribution Channel 81 User’s Authorization Data LSUWESTJ Object Class SD Sales and Distribution Authorization Object V_KNA1_VKO Customer: Authorization for Sales Organizations Authorizat. T-ED49123900 Customer: Authorization for Sales Organizations Profl. T-ED491239 Profile for role TV_GLB_ECC_CD_0002_ORGL Role TV_GLB_ECC_CD_0002_ORGL PF:Customer/Vendor Master Maintenance (Central) Authorization Field ACTVT Activity 01, 02, 03, 05, 06, 08 Authorization Field SPART Division 01, 41 Authorization Field VKORG Sales Organization 1000, 3000, 4001 Authorization Field VTWEG Distribution Channel 01, 41 A. In the first portion SU53 screenshot above, SAP system is checking for V_KNA1_VKO object with the values given. The next portion of su53 (below User’s Authorization Data LSUWESTJ) mentions the authorizations for the same object which is present with the user. The check fails as the exact values checked by the system are not present in the user master. Q. IS IT POSSIABLE SEE THE END USER SU53 SCREEN IN SAP SECURITY CONSULTANT SYSTEM. END USER AND SECURITY CONSULTANT HAVING SAME SEVER. POSSIABLE? HOW?

A. There is button in the tool bar of Su53 transaction which allows you to switch users. Q. how can we judge or confirm the screen shot (su53) send by end user is his last authorization failure. Date and time is the only way or is there any another option? A. The Su53 screenshot is designed by SAP to return the last authorization failure for a user. However, basing your analysis on Su53 can be misleading in a large number of cases. A ST01 trace is a much better bet in such cases.

Q. I include se11 in development role assign to one user which should have ACTIVIT 01,02 (create and change).but running su53 for that screen error showing that ACTIVIT 03 display should include in S_develope obj. how can I restrict 03 display for that development role ? Where I need to change default value in s_develop? A. SU53 is often misleading. Try a trace ST01. Also giving change/create in S_DEVELOP without display doesn’t make much sense. Q. I have an issue with SU53 not recording the last authorization failure. I created a user with no authorizations, logged in with that user, executed a transaction and it says the user has no authorization to use that transaction. Then I logged in as a user that has authorization to execute SU53, switched users to the user that doesn’t have any authorizations and it didn’t show any authorization failures. Any idea what the problem may be? I’ve never seen SU53 not work. A. So SU53 doesn’t work at all in the system? In such a case you can investigate the profile  parameters which control SU53. If it’s just for the one case you mentioned then I am not sure about the problem. But would you ever actually face this problem in a real scenario? Q. list down the return codes of ST01 with their description? A. I have come across three return codes. There might be others as well. Not absolutely sure RC= 0 Check for authorization successful. RC= 4 Check for authorization unsuccessful. User has authorization object in his user buffer but with different values than what are checked. RC= 12 Check for authorization unsuccessful. User doesn’t have authorization object in user buffer. Q. CAN EXPLAIN ABT THE GENERAL FILITERS…? A. I use general filters in ST01 to capture the trace for a single user. I am sure there will be other uses as well. Q. Explain same application server means, where we have to select this in tracing, could you  provide a screenshot, if possible? A. You don’t choose app server in the ST01 transaction but via SM51. SM51 will allow you to check to which app server, a user is logged in. You then do a remote login to the same server via SM51 and run the trace. Q. Explain me how to use the trace analysis screen to arrive at missing authorizations using RC? A. The options on the trace analysis screen are meant to filter the total data returned by the trace tool. A security failure would be indicated by a return code other than 0. Q. We can you sm50 to jump to other server’s right? If we want to use st01 t-code?

A. You can use Sm50 to jump to different servers. However, you would still need to enable security trace in the servers individually. Q. WHAT IS THE DIFF B/W SU03 AND SU21? A. SU03 is meant for updating authorizations while SU21 is mean to update authorization objects. Ideally you shouldn’t have to modify authorizations at all. Q. “Roles by Complex Selection Criteria” and search for roles with access to the transaction SU01 and the authorization object S_USER_GRP. So that beginners can get good knowledge on SUIM? A. Think of all the SUIM reports as a very use friendly select statement and the selection conditions you enter are part of the where clause in the query. For searching with S_USER_GRP  just put in this objects in the authorization objects section, enter the group name and execute the report. You should get a list of roles with this user group maintained in S_USER_GRP. Q. Which table gives the user assigned t-codes? A. You will have to combine user_agr with agr_tcodes. Q. LSMW doesn’t work properly with methods that have branching logic, ALV grids and tree structures? A. if you read through my post, I have mentioned that LSMW and SECATT all have their own features. Also, the post is targeted to security consultants who might need to use these tools for automating their daily tasks and not so much towards experts who use SAP tools to load data as  part of conversions. Q. can it be put in practical use if the users are on SSO since we get lots of password reset requests.(or) else please suggest some SAP standard solution for password reset request? A. First of all, I am not an expert in the configuration of SSO for a system. There are different flavors of SSO being used by different clients so I would suggest looking for the specific tools that are available for your implementation. Standard SAP security tools probably won’t work as the users are not directly logging in to the backend at all. Q. In this case does ZSU01 calls the same program as of SU01? What all entries do we have to maintain in SU24 for this t-code? Shortly I want to understand how the authorizations are maintained for this customized t-code? A. Any transaction variant calls the same program screens as the original t-code and would need the same auth objects to be executed. You can certainly add these objects to the SU24 entries for the new t-code (ZSU01 for instance) for easier maintenance. However manually adding the objects to the role with ZSU01 will also work. Q. Maintained transaction variant can we give multiple options like display, lock, unlock, edit?

A. You need to basically need to disable the entire menu options in the transaction being recorded which you do not want the user to access. Q. Is there a risk of not having a authorization group assigned? (&NC&) Or doest the table also needs privileges to S_TABU_DIS /S_TABU_NAM (value 2) before they can edit the table? A. It’s a best practice to maintain an auth.group for tables. I don’t remember whats the auth group on the TBRG table but it will certainly be checked when you try to maintain it. Due to the introduction of the S_TABU_NAM object securing individual tables are now easier than they were with S_TABU_DIS. Q. We have some tables in a production system which hasn’t assigned an auth group these are Z tables; the question is. How we could remediate the problem since the auditors needs a solution for that? A. You can just go ahead and assign auth groups for them. Also when you try to look up tables with no explicit auth groups, the system actually checks if you have access to the auth group &NC&. If you can make sure that no one has access to this group, auditors would be happy I think. Q. how to get this switch enabled. Coz currently the table shows blank output i.e. can’t see any switch active? A. You need to open the table in SM30/SM31 and create the entries you need. By default the table is empty and the system behaves as per default values. You will need to create entries for PRGN_CUST. As delivered it is blank. Q. What I’m interested in is the value-roles approach. What about your experience with creating different roles for Transactions (T_CODE), “common objects” and org-levels and assigning a set of these roles to a user knowing that the object will be provided by the additive auth. buffer? A. I just started on a post about Value Roles. Should be ready in a few days. However, I will confess that I am somewhat skeptical about the efficacy of value role based security design. So you might find the article just a bit biased. Q. How you doing. Will you please answer one of my questions? If u assign a role to user. He is executing the role without problem but my question is user is executing t-code but he got  particular screen with missing tabs, how could we solve this problem? A. If you are getting access to the t-code but some options are missing, there might be subsequent security checks which are failing for the user. Use the security trace (transaction ST01) to investigate the missing access. There is a post on this site which mentions the details of how to use the security trace. Q. I want to add a new auth. object to a parent role which has about 20 child roles due to company codes and sales orgs. I have changed the parent role with the new object and generated

 properly with the red-white beach ball and then transported to QA. But the in the target (QA) system, all the child roles had red lamps in auth. flap which were previously green! What happened? Will be pleased for your advice? A. The entire concept of the lights in the authorization tab turning green/yellow/red is controlled by the timestamp of the role and profile. Did you generate the child roles (push authorization values) after inserting the object to the parent? Ideally both parents and child roles should have been generated and roles and profiles of all should have been transported to QA. Q. Can you tell me the correct way after we have made the change to the Org Level Values of any existing derived role? 1) After making Org Level Changes, we GENERATE Profile for that derive role there. Again go to master and click on Generate Derived roles and then move them both in a TR? 2) After Org Level Change, we only SAVE the Derived role and not Generate the profile. Go to Master Role and click Generate Derive roles and transport both in a TR? A. Both of the two processes will work. The important thing to remember is to ensure that you click the generate derived roles button from the master. Also if you create a transport for a derived, SAP automatically includes the master in your transport. Q. if we change the value of organizational levels in derived roles wills it affect the parent role or there will be some error? A. Nope. Org Level values are supposed to be updated in the child roles. Q. I am working on master and derived role; I have updated the activities in Master role and  pushed the changes to derived roles. Now I need to carry the changes to Production system. DO I need to transport all derived roles or just master roles to Production. A. You would need to transport both the master and derived roles. Q. There is a requirement from business to add and remove a t-code only from 1 derived role out of 5 derived roles present for a parent role. Is it possible somehow to achieve this. A. It is possible to add a t-code in derived role separately. Process:  –> add S_TCODE auth. object in derided role  –> under this object add the t-codes which you want to add (in TCD field)  –> after that add all associated authorization objects manually  –> maintain the field values as per your requirement  –> Save the role and generate the profile Q. I have a query regarding role transports involving Parent and derived roles.

1. I know that when we transport Derived (Child) roles, the Parent role gets included in the Transport. This I understand is the SAP standard process. Would it be possible to provide more information related to the SAP standard process regarding this. A link to refer would definitely help. 2. Due to the inclusion of the master (parent roles) we end up getting a lot of Transport collisions. We have approximately 100-150 Child roles per master role. As a result, though, while there might be no actual changes on the Master role, and maybe only an Org level update on the child roles for different locations, we still have to look at a lot of transport collisions, due to changes for different locations. My questions are: 1. if we remove the Parent/Master role from the transport, would it cause any issues. Would it also affect the Inheritance in any way or cause any authorization issues later on.. 2. Also, Will transporting only the Master role and then deriving the child roles work in the above scenario.

A. Unfortunately I don’t have a link to “official” documentation talking about the transport  process. If you are updating org levels, you shouldn’t have to touch the master roles at all. Just update the affected child roles with new values and generate these roles individually. Even if the masters are automatically included in the transports, there won’t be collisions as the same master roles with the same time stamps would be included in all the transports containing the master. I don’t believe it’s a good idea to remove the masters manually from the transports. Q. I am implementing the master \ derived concept for HCM at present and I have an issue with P_ORGINCON authorization object. It would be very useful to create one master role and then control child roles by PERSA and PROFL so that different structural auths can be assigned for certain ‘areas’ of the organizational structure.eg. With PERSA restricting by location and then PROFL by business stream (cut across org structure). At present I have the option of: a) entering all values in PROFL in master role and relying on table T77UA being well maintained to only allow a single, appropriate profile to be brought through for each user.  b) Leaving PROFL blank in the master and maintaining the values individually in each child role after every update of the master role. Can you advise if it is possible or advisable to set up PROFL as an organizational level data value via PFCG_ORGFIELD_CREATE so that it can be maintained alongside PERSA? What issues do you foresee in doing this?

A. It all boils down to your requirements. I have used both PROFL and PERSA as both org levels and normal authorization fields in different systems. The one problem that sometimes comes up with PROFL as an org level is if the same role has different structural restrictions for different info-types.

Q. If PROFL is set as organizational value, you state, that you had issues, if more than one structural profile is used in the same role. But is the problem, not only, that you cannot control this from the organizational tab? In the question, is it statement, that it would be possible to leave the PROFL with *, and then relate on the entries in T77UA. But is it not so, that the P_ORGINCON is using the profile entered in PROFL and not the profile in T77UA? A. You can certainly have PROFL as * in the role and control the actual assignment via the OOSB entries. Whether to promote it to an Org Level is decision based on your design of the roles. Q. Explain the process of transportation of composite role? A. While transporting composites, the system offers you the option whether you want to include the single roles making up the composite in the new transport. Unless the singles are new or have  been changed since their last transport, you can just transport the composite role. Q. I have defined a new role and added to a composite role, but when i try to generate a transport req., it shows me 2 check boxes, which one(s) should I set so that the other single roles keep their settings!! A. In this case, it will be necessary for you to transport the single role (since it is a newly created one) as well as the composite role (after the addition of the new role). So mass transport has to be used. So, only the second check box has to be checked. Q. Difference between composite and single roles in PFCG? A. single roles are a collection of authorizations (t-codes/authorization objects) while composite roles are collections of single role. A composite role doesn’t contain any authorizations by itself, but is the sum total of the authorizations of the component roles. There are different buttons in the PFCG initial screen for creation of composite and single roles. Q. Mass Generation of Composite role option is available? Same like we use to perform Mass generation of Single Roles? A. A composite role doesn’t have a profile. How will generate a role without a profile? Q. Anyone knows how to assign composite role in CUA parent system. It exist in PFCG but not in SU01, Text comparison not working as its a parent system? A. You would still need to a text comparison for the role created in the CUA central system. But you do this from PFCG> Environment>CUA text comp for central system. Q. explain about the taps in creating Composite and single roles. Like Description, Roles, User, Personalization?

A. 1.Composite Role Description: It’s the area where you enter details of changes done for better understanding in the future, for ex addition or deletion of a role. Roles: this contains all the single roles a composite role contains. Any number of single roles can  be added to the composite role. User: this is the list of users who have access to the particular composite role. 2. Single role: Description: It’s the area where you enter details of changes that are done, for ex new org values updated. Menu: List of transactions that a single role has access to. Authorization: Here by clicking on “Change authorization data” the org values (like plant, company code etc) can be updated or removed. This tab also contains the profile name (profile is generated after the org values are updated). User: this contains the list of users who have access to the particular single role. Q. If we give roles in ecc system and also in Bi and CRM, so here my question is can we map these roles in to composite, if yes how it happens? A. You can map roles from multiple sap systems to a single composite. However, you need to search on the web about the actual steps. Q. Value Roles in my view is an outdated concept. The way I am aware of it, is little different –  Transaction maintained in one Role with all objects maintained except for those involving orgs. Org related objects are maintained in separate Value Roles. This limits the control you can have from Security POV. As once you assign a value role it combines with all the transactional roles and gives access at that level throughout. So if you want to restrict some roles at lower level for that org that becomes difficult. Derived roles are a much better solution, period? A. I agree with the gist of your thinking. The article doesn’t specifically mention about putting only the authorization objects with the org levels into the value or enabler roles. I propose to update the post to specifically include this. Also as you mention, derived roles are a much newer and as I too believe, to be better concept. However, there are a quite a huge number of functional  builds which still use value roles. Security in general seems on the paradigm – “if its not broke, don’t fix it” so getting business buy in to update a system with value roles to derived roles will

 prove to be difficult for most of the security consultants out there. And surprisingly, even new  builds still continue to use the value role concept. With the proper amount of documentation and foresight, value roles – enablers – controllers can still be used effectively and result in much smaller roles to maintain. For example, I have seen hybrid systems where the value roles themselves are derived from a master so that the non org level fields are shared across a multitude of roles. Q. I create a MM role, but there are objects require which is FI (asset posting). Our consultant says, it is not possible to add those because it will cross to another module. But my client needs it to continue to their transaction. I check in SU53 and its check with no proposal. Do i need to add it to the role, whereas my client is function as limited? A. There would always be auth objects of different classes in a single role. There is just no way out of it. Many MM t-codes which deal with materials posting would need access to the FI objects which control posting. Q. I’m in a major implementation where in our scenario, we have around 200+ plants and it seems that we would have a huge number of roles if we follow the Master/Derived concept. For example- PM module have sorted out 7 master roles, So if we create roles for every plant then we would have around 7*200=1400 roles for PM only. The same situation is common for most of the modules. So I think this transaction/value based role would suffice our problem. But its complex as you said. What do you recommend- how should we go about building the security roles architecture? A. I would still go with derived roles because long after your implementation is over, the derived roles will be far more manageable than the transaction and values roles/enabler roles. A lot of the tasks involved in creating derived roles can be automated by the use of LSMW or SECATT scripts. You can even work with your ABAP team to help creating code for updating of org level values. Using enabler roles will lessen your development time, if you decide to have one or two enablers per module (like PM) instead of the 7 roles you already have. However, this would mean that users get far more authorization objects than they need to execute the t-codes that they have access to via the transactional roles. If down the road you need to limit access, you would find if difficult to remove appropriate objects from the enablers. Q. Instead of using SE16 in production system we use SE16N and also we assign it to users requesting access to tables. Can you please make me understand the technical difference between SE16 and SE16N other than that one is used for Change/Maintain a table and latter for display only?

A. SE16N is the newer version of SE16 and comes with more options. For example, I believe you are limited to 40 selection fields in SE16, while there are no such limitations for SE16N. The  biggest difference (especially on systems without the latest service packs) is the use of &SAP_EDIT option in SE16N. This option can actually allow a user directly to maintain a table in SE16N without going through maintenance views. Since this feature can and often is misused, SAP has come up with corrections to disable this in the latest service packs. Q. Object S_DISP_NAM does not exist in ECC 6.0? A. S_TABU_NAM? The object was introduced in one of the service packs so if you are still running an unpatched system, the object might not be available. Q. Is there any disadvantage by using S_TABU_NAM authorization object..? A. Nope. But you would need to know each table that you want to restrict. Q. Why is it not possible to have more than 1 view/table per attribute? Or is it possible and I am missing something? This is the error I get when I try to add new entries in the table fields? A. I can confirm that SAP will not allow you to enter multiple tables/views at this step. If you are concerned with a small number of tables you can think of creating a separate org criterion for each of them. Q. Can the object S_TABU_LIN be used for SE16N & SE17? Once given for table’s access can it be restrict values in SQ00? Can you provide a solution for the same? Also need a solution that covers lots of tables at one go? Any help will be appreciated? A. I don’t believe you can use a single org criterion for multiple tables unless you are activating it for all tables where a field is present. Once activated, it should work for SE16N and SE17 as well. For SQ00, whether S_TABU_LIN is checked will depend on how the underlying info-set is designed. An Info-set created on a single table or a table join should check for S_TABU_LIN and the rest of the basic table security. Q. The SQVI T-code used for? Explain with the functionality? A. It is used for creating quick reports based on table joins or info-sets. Ideally the use of SQVI should be limited in production system as it is a resource hog and a wrongly written join can affect performance pretty drastically. Q. It is used for creating quick reports based on table joins or info-sets. Ideally the use of SQVI should be limited in production system as it is a resource hog and a wrongly written join can affect performance pretty drastically? A. You are correct. Address data (name/email etc) cannot be modified using SU10. Also its very easy to mistakenly keep one/more of the options in any of the different tabs checked and unwillingly modify a large number of user masters.

Q. After saving the changes in su10, it generates a log. Assume that I have accidentally closed the log display session (without even exporting it), how can i access the log display (last screen shot in this article) again? A. You can navigate to GOTO>Logs from the initial screen of SU10. Q. which format used for uploading the file? Can u show me snapshot of upload file format using LSMW Script? A. The file format will differ depending on the parameters you are using in your LSMW script. In the “Specify Files” screen you get an option to specify the file that you are going to use for your load. I use a Comma Separated Variable (.csv) file. To get a .csv file you basically prepare your data in Excel and save the file as .csv instead of .xls. Q. I am an LSMW user and have 17 programs developed by my IT team. I support Master Data. But I am concerned that I cannot change the file name in the specify file step. Will SAP allow that single step to be maintained by the user without opening the other ‘Maintain’ steps? A. Just changing the file name will not work. You will at least need to re-execute the rest of the steps (here I am talking about the steps that occur after specifying the file name) as new data from the new file needs to be read and then converted before being used in the script. Q. I am having problem trying to use LSMW to record info-type 0585 – this info-type contains a list table within the screen. Whenever I execute the script, the last row in the list table is not captured (I get a message that it is not found in the screen). Is there a way to overcome this? A. Using LSMW to populate a table is always tricky as the system doesn’t know where in the table the new values are to be inserted. Though I am not familiar with this info-type, I would suspect that a similar situation might have occurred. I am not guaranteeing that you will be able to successfully update it using LSMW. You can try re-cording the script once again and check that you can actually update the info-type correctly the first time. Q. How to assign different users and different roles? A. you are actually trying to assign different roles to different users in mass? There is no t-code to do this. SU10 will add the same roles to multiple users. If you are familiar with ABAP, you can actually create a custom program with the standard BAPIs that SAP provides for user administration. I get around the problem by creating a SECATT script which adds a single role to a single user. If you run this for a list of users and roles you end up with solving your requirement. But even this is not a very efficient solution. Q. When I am recording su01 for ZUSRCREATE, I am not able to get PASSWORD field in it so I am not able to map it with PASWORD field in USRDATA?

A. I think there is a problem in your recording. Otherwise it should have been available. Try rerecording and try resetting password during the recording session. This will ensure that the screen is captured. Q. I created LSMW for user creation it is creating user but not assigning Role and user group. But while recording values are populated. Even if I hard code the user group that value is not  populating for user? A. Keep trying. A single LSMW script to create users and assign them roles will be tricky to create. I would suggest splitting into two separate scripts. Q. while uploading the data when I run batch input session last step it taking me to screen to create data which I am uploading first screen is fine coming to second tab i.e. log on data tab, fields are miss matching? A. The field mapping (the data uploaded to the fields used in the script) is controlled by how you map them in the initial steps of the LSMW script creation. Q. I tried uploading the data as per the steps mentioned by you. I tested with 2 user records. In steps 9 it shows me 2 written entries but when i check in SU01 I don’t find any of the two entries? A. Difficult for anyone to troubleshoot without actually looking at the script. My suggestion would be check the recording and also how the read data is being mapped to the screen fields in the recording. Q. I am using LSMW script to create user and assign roles. Somehow, recording working fine for user creation, except assign role. Role assignment fields are not getting captured in the recording. Any idea why so? A. Nope. I believe you need to revisit the recording or to check how the input fields are being mapped to the fields captured during recording. I would have serious doubts if role assignments for any number of roles can be done in the same script as creating a user. Q. Generation of the program requires Access Key. Could the SHDB process be simplified, rather generating Program? A. I think you would need a access key if you are using this method. Any way you will have to modify the generated program so that it can read and process an external text file. If you don’t have an access key try using LSMW or SECATT to get your job done. Q. Understand that we would prefer LSMW/SECATT to SHDB due to the access key issue or ABAP coding. However, I would like to know, when it would be advisable to use LSMW and when SECATT. Basically, I want a comparison as to which scenario which would be better? A. It really depends on what you are more comfortable with. Both LSMW and SECATT have their own advantages. For example to run a SECATT script, the client settings should be

modified to allow it. On the other hand, with SECATT, it’s feasible that you store your scripts in a central system and run it via RFC calls in other systems.

BW/BI SECURITY:

Q. How to give $sap_edit option to a particular table? A. This is not possible. I would recommend that you shouldn’t even be thinking about giving & sap_edit to any user at all. Q. If a user is logging into firefighter and executing a t-code and is not able to access it and gets an authorization error what could be the reason behind it, Assuming that firefighter has SAP ALL access? A. I would start with running SU53 when you run into the error while logged in as a firefighter. Lets of SAP functionality are controlled by settings other than standard authorizations. If SU53 looks clean, it might be one of such situations. Q. Describe BI architecture and how it relates to your security policies? A. Searching…………….. Q. Can you please provide me more idea (information) about Navigation Attributes and how we restrict these Navigational Attributes with a Business (real time) example? A. In BI 7, you secure navigational attributes in the same way as you would secure any other characteristics. Whether a characteristic is added to a cube as navigational or as a base characteristic is totally dependent on the BW developer and the reporting requirements. The navigational attributes are distinguished by a underscore (_) between the name of the base characteristic and the attribute. (Ex 0COSTCENTER_0COMPANY_CODE). Once you have the list of navigational attributes from the BW developer, just add them to your analysis authorizations as you would any other characteristic. Q. When we can use copy roles? A. When you want to copy the authorizations maintained in a role to a new role name. Q. If one IOBJ 0COMPANY_CODE is a base and used as nav as 0COSTCENTER_0COMPANY_CODE. Can you please let me know how the reporting affects if we restrict authorizations to certain company code in base and nav. i.e. 1) If I give ‘*’ in base and some restriction in nav 2) If I give some restrictions in base and ‘*’ in nav?

A. Both the base characteristic and the navigational attribute of 0COMPANY_CODE will hold essentially the same data in the data warehouse and should be restricted to the same authorization values. I can only accept giving different security values, if the data sources contain different values. You can check with your data loading team if your BW design fits such a scenario. Q. However if both base and nav gonna have same authorization values, then what’s the significance in making nav as authorization relevant? A. In some design scenarios your proposal might work and even lead to less maintenance. Now, think about a scenario where you maintain 0COMP_CODE with values: (colon) and the actual company code values. The navigational attribute for company code is not auth relevant. You will  be able to run your queries with any value of company code and defeat any security restriction for company code that’s in place. Q. what is the main purpose of attribute tab in RSD1? A. Like the name suggests, the attributes tab list the attributes for an Info-Object. Attributes can  be of two types – display attributes and navigational attributes. The navigational attributes of an Info-Object can be auth relevant and this is set in this screen. Q. If I maintain 0comp_code as: with actual company codes and the nav 0COSTCENTER_0COMP_CODE with few company codes, the user will be able to see data only for company codes mentioned in nav? A. Yes, as long as 0COMP_CODE is in free characteristics for the query. Q. How are RSA1 and RSD1 different? What exactly can we do in RSD1? A. RSD1 is used to maintain Info-Objects while RSA1 is the Admin Workbench can be used to administer the entire data model (including Info-Objects). Q. In portal a user is trying to fill his subordinate time details. But he is unable to do that. It is showing error “You don’t have access to IT2003” But when I check in backend system the user is having the authorization to info-type 2003 with Read access and with type I(Inclusive). Can you please provide the authorization missing for the user? A. Lots of things to check here. The comment on type I (inclusive) indicates that you are talking about P_PERNR. P_PERNR authorizations will only come into play when a user tries to access his own HR record. For others you need to look at P_ORGIN (CON), P_ORGXX (CON), etc. You mentioned subordinate’s time. So are we talking about a manager updating time for subordinate? In such a case, are structural authorizations switched on? Does the manager have access to the subordinate through PD profiles? Does the application need read or write access to IT 2003? The user needs P_PERNR with the value of E with Write access on info-type 2003. Q. If a user’s refresh icon is grayed out what does this mean?

A. It might mean a lot of thinks depending on context. It can mean that there is no connection to the SAP system or that users don’t have execute access for the query. Q. I have given full authorizations for all fields in s_rs_comp and deactivated the comp1 or vice versa, will the user able to execute query? A. Both S_RS_COMP and S_RS_COMP1 are needed to execute BEX queries. Q. I have a BW production environment that is totally closed for editing. It is correctly configured in SC06 and SCC4. However, I can edit queries (by using Bex Query Designer), DTP´s, info-packages and process chains. How can I avoid editing queries by using query designer? Do I have to create a auth. object? A. Editing queries is controlled by 2 main objects, S_RS_COMP and S_RS_COMP. Search the documentation for either of them at sap. Help and you will get enough pointers at how to restrict modification of queries in any environment. Q. How to differentiated workbooks and quire reports? A. The query is really a design view of the characteristics/ key figures which make up a Info  provider. A workbook on the other hand is the formatted result of one or more queries. To execute/refresh a workbook you would need access to all the underlying queries and the Info Objects in them. OR  A query is the technical definition of the report structure. A workbook as an excel file in which one or more queries can be embedded. You can refresh the workbook after connecting to the BW system, and the query in it will be refreshed and will be populated with current data. The reason for creating workbooks is that using the same query, different report formats can be saved for future reuse. Also users can set up their own report formats and save as workbooks in their favorites. Q. How to restrict two user’s reports in BI role level/Authorization Objects level. We need only display access. How to restrict the users in BI level? A. Query creation/display/change is controlled by the S_RS_COMP authorization object. Feel free to browse through the rest of the articles on BW. Q. I’m new to BI security. The new concept allows us to separately secure the navigational attributes used in an Info-Provider. For example, the authorization object 0COSTCENTER can have different security when it appears as an Info-Object in an Info-Provider and when it appears as a navigational attribute for another Info-Object. In the old concept, both these cases will have the same security? A. You would need to understand the structure of Info-Objects and how Info-Objects are used in Info-Providers to understand this statement. You can look at the attributes of Info-Objects

in transactions RSA1 or RSD1. Otherwise it’s difficult to appreciate how Info-Objects differ from their Navigational or Display attributes. Q. I want to know how we handle a scenario in which a user needs to be given access to display one field in the query but another field is not included in the output. Will using: (column) solve the issue? A. Whether colon (:) i.e. authorization for aggregates, will work is determined by the design of your query and whether any restriction for the field is being used. I can think of a few cases below: - Field not included in query –: authorization will work  - Field include in query but part of the free characteristics. –: authorizations will work  - Field included in rows of the query. No restriction –: will not work. You need * to give access - Field included in rows of the query and the field is restricted to particular value. –: will not work. Both * and actual restricted values can be used to give access? Q. We have over 65 info objects which are marked as Authorization relevant. So whenever we create authorization in analysis authorization, we need individually select * for all the objects which we want complete access. Normally all we need is to control is access 2 couple of info objects, but land up in declaring * for remaining large amount of info objects. It is very time consuming. One way is to do a housekeeping of authorization relevant check of all the info objects which need not be part of security? Is there any method to consider only info objects of interest? A. I can think of two options to reduce maintenance. Firstly, if you are not securing any of the 65 characteristics, you can revisit the decision of whether you really need them to  be authorization relevant. If they don’t need to be auth relevant, switching off the auth relevant flag in RSD1 will save entering them in analysis authorizations. Secondly, you can create a single authorization with all these 65 characteristics which do not need to be secured. Maintain all of them with * access and use this authorization for all users (maybe through a common role?). Now you need to only create authorizations for the info objects which you really want to secure. Q. we are trying to restrict the user with Cost center and we have added EQ xxxx. And also maintained another row with EQ Colon (:). now when we assigned this cost center to the user he is still able to access the other cost centers. do you want us to remove the Colon (:) and then try or any other way to restrict the cost center. Note we have also maintained the Hierarchy structure? A. Authorization values are intrinsically related the query design and the input values while running the query. A colon (:) for cost center would allow you to run an unrestricted query on cost center as long as cost center is not part of the rows sections in the query design. So first check the query design and then the requirements.

Q. We have a requirement, where we have to give a particular user access to a cost center (1000 &2000) and also want to give access to aggregate value (cost centers 1000-9000). When defining analysis authorizations I gave EQ 1000, EQ 2000 and in another line EQ “:”. The users can view the amounts for 1000 and 2000 cost centers and for totals can only see (1000+2000) but not the aggregate $ amount that a user would see with full access. Is this even possible with “:” authorization? A. Adding colon (:) for cost center should allow you to see the aggregate (totals) value for cost center. However you mentioned that this is not working for you. This might be due to how the queries are constructed. Are you running the queries with cost center restricted to 1000 + 2000? If it’s restricted, obviously the totals will also be for these two values. However, also note that in case, cost center is present in rows section in the query, you would actually need the characteristic to be restricted to the two values. Otherwise you will get an authorization error. As long as cost-center is in free characteristics, cost center is not restricted, you should be able to display totals with: value. Q. The query itself is not restricting to those particular cost centers. With the analysis authorization object that I created, I can restrict what the user can drill down to with respect to cost center. Our requirement is that the user should see cost center they are authorized to + the aggregate value. However, I am able to give them the cost center they can access; but for the aggregate totals they just see the total for the cost centers they are provided authorizations for. For example Cost center Analysis Authorization-1 EQ 1000 EQ 2000 EQ: The user can only see data for 1000, 2000 and for totals the total of 1000+2000. For total we are expecting that with the colon authorization, user should see 1000-9000 cost centers which does not seem to work. Is there anything our developer has to do to modify the query (with respect to variable type used) as we are clueless what needs to be done to make this work? A. The behaviour you are reporting is typical of the case, when you do restrict a characteristic at the query level. Can you please confirm that you are not using an authorization variable to restrict cost center at the query definition? If you are using an authorization variable, the query will only pull in data for 1000+2000 during execution. Q. the query does use an authorization variable for cost center. If we want the aggregate to show up in totals (for: authorization to work) what type of variable should be used? A. An authorization variable will just pull in actual values, not colon (:). As a result, you cannot at the same time restrict a characteristic to values and expect it to return data for all cost center values. I can think of 2 options now. Create a new version of the query where cost center is not

restricted by the authorization variable. Make sure that cost center is in the free characteristics. This query will not allow you to drill down on cost center. A second option will be to change the first query, so that it prompts you for the cost center during instead of just running with the authorized values. When you want to drill down you can restrict to actual values. To see totals, you run it unrestricted. I believe, you can set up authorization variables so that it suggests the  possible authorized values instead of running for all. Q. Can you please briefly explain about BI Security upgrade? I need to use migration tool (RESC_MIGRATION). Can you please provide more proactive approach for this BI Security upgrade? A. I have been involved in a few BW upgrades but nowhere was the migration tool used. I would accept that the tool can get you 80% of the way to a successful migration but the remaining 20% would still need to manually adjusted. If you decide to go for the tool, make sure you thoroughly go through the SAP documentation around it and the if any manual changes would be needed for you. Q. Can we use colon authorization and structural authorization at the same time? In our HR system we follow the structural authorization on 0orgunit. And for a particular requirement, i had to create colon on 0orgunit? My question is will the colon authorization overwrite the structural authorization in this case? A. Structural authorizations are implemented in BI through a customer-exit variable. So the  behaviour will be governed to a large extent by the code that’s put in the customer exit. I would suggest you take the help of an ABAP developer to check the code maintained for the exit and see if you can incorporate the colon (:) authorization at that point. Q. I have 3 custom Z* objects derived from 0EMPLOYEE. ZBASIS, everyone have access. ZPRIV, only certain ppl haves access to sensitive data. ZFIN, only certain ppl have access to sensitive data. I only turned on the “Auth. Relevant” flag for the three objects not for the attributes. I put the 3 objects in free characteristics (no variable created).When I drag the three objects from the free characteristics to the report. I got the error message “Not enough authorization”. I miss the authorization value “*” for ZFIN and ZPRIV. The user 1 may only see basis data got: ZBASIS -> “*” ZFIN -> “:” ZPRIV -> “:” The user 2 may only see basis en FIN data got:

ZBASIS -> “*” ZFIN -> “*” ZPRIV -> “:” A. The error messages that you have reported already give the correct answer. However I will reiterate some of the points. An unrestricted authorization relevant characteristic in the free characteristics of a query would require colon (:) value for it in an analysis authorization. When you are dragging a free characteristic to the rows area just colon will not be sufficient as you are drilling down on the characteristic. Colon is only meant to authorize access to aggregates not detailed values. In such a case, in addition to the colon you would need to restrict the characteristic to actual values through authorization variables or use (*) for the characteristic. Q. I`ve to create more than 500 Analysis Authorization (unfortunately this is the only option that we have in our company), is there a way, to create all the authorizations at one time. Some mass creation or something similar? I know that I can update the massively, but the options there are very limited. Probably a LSMW or could be created, but is there some standard sap functionality? A. To my best knowledge there is no standard t-code or such to mass create analysis authorizations in BW. If you can record a LSMW or SECATT script to do the job, I suggest going forward with that. I have used the same technique when I had to create or update analysis authorizations mass. However, SAP provides a FM, RSEC_INSERT_FLAT_AUTH which can create analysis authorizations programmatically. You can ask a ABAP developer to write a wrapper program around this to read data from a file and execute this FM with the data. Q. I have a requirement to restrict specific cost center from detail view but the key figure total should contain the value. It would look like this: Cost center Amount 75000 $996,853 75010 $354,005 75020 * 75030 * 75040 $6,569,900 75050 $1,567,113 Overall Result $10,171,981 You can back into the value of the 2 restricted cost centers to be $684,110 but it doesn’t show the individual value. I’ve tried many different configurations but because the security fails on 75020 and 75030 no values are returned just the failed auth message. Is there any way around this and is the above doable within the BW security paradigm?

A. What you are trying to do can’t be done with standard SAP BW security. To show the cost centers in the detail view, you would have made sure that these values are authorized for the cost center characteristic. On top of this if you have access to the Amount key figure; it will show data for all the authorized characteristics. They choice you will have to make are to whether you want to give access to the two cost center values or not. Q. I created role with S_RS_COMP and S_RS_COMP1 and added one report to the role. I have not assigned any analysis authorization in this role or directly to the user. Now when I am executing the query in the system it showing you have not authorized to Info provide Ztest1 with display access. Now my query is how can i get the analysis authorization which is having the Info provide in table level? A. RSECVAL table gives you the analysis authorizations already created with the values maintained in them. Q. For one user, I have a situation where we need to Case 1: give access let’s say 1,2,3,4 personnel areas for one Info provider 1 for query 1 case2: and 1, 2, 3 personnel areas for infoprovider2 for query2 for the same user. I am thinking this can be solved by creating two analysis authorizations and assigning it to the same user in S_RS_COMP and then add query1, 2 in S_RS_COMP1 in same role. I can’t test it as sufficient data is not available in Dev. Can you please let me know if the solution is ok or if there is any alternate route? A. Two analysis authorizations would be needed as you mention. However analysis authorizations are maintained in S_RS_AUTH. The query authorization would need to be added to both S_RS_COMP and S_RS_COMP1. Q. We have a BI 7.3 security upgrade coming up and currently we are on BI 7.0, however using the reporting authorization concept. Now that we have to move to the new analysis approach, I have few steps to begin with, but again few queries on certain steps as this would be the first time I would be working on BI security. Please help me understand what needs to be done here. Step 1: Activate the authorization mode to “Current procedure with Analysis authorization” in the SPRO”… My query here is this has to be done before upgrade or afterwards Step 2: I hope we need to perform the SU25 upgrade here (not sure, please clarify) Step 3: Building Analysis authorization: Do we have to activate the 3 special characteristics i.e. 0TCAVALID, 0INFOPROV? Or is it by default auth relevant.

Step4: Because we have all the reporting Roles in place and working fine, we are thinking of redesigning the data for the queries of these Roles to the new concept.. Is this fine to go with?? Step 5: While redesigning these Roles, we need to check for the info providers that provide data for the queries in these Roles and restrict the data accordingly in the Analysis authorizations…  Now in our case when I analyzed one Role which was providing some finance related reporting I got quite a few info objects that were auth relevant, but I am unable to find out how the data access was provided to these in the existing process as they do not have any custom objects which provides data. What would be the right approach to deal with this?? Do I need to consult the BI development Team or is there any way where I can find out from the system as to how the user is trying to access data especially some org field related ones. Step 6: Restrict access based on either value or hierarchy authorizations. Is this again the BI development Team who would be suggesting us?? Step 7: Add these analysis authorizations in the Role and provide access to the user, test it and move it to further environments. A. However I am very doubtful about how much help I can provide you here. An upgrade from reporting to analysis authorizations is a big event and can prove challenging for seasoned security consultants. My first suggestion is to get some real help from folks around you. Next look at SAP documentation about the steps involved in an upgrade. This is far too important a subject to base your actions on my website. I will still try to answer a few of the questions Step 1: Activate the authorization mode to “Current procedure with Analysis authorization” in the SPRO” – Can be done after Basis upgrade has been completed. Step 2: I hope we need to perform the SU25 upgrade here (not sure, please clarify) – SU25 is a  big subject in itself. It’s probably not going to make a huge difference with reporting but ideally SU25 should be performed after each upgrade of the system. Step 3: 0TCAVALID, 0INFOPROV – check these in RSD1 after the upgrade. I believe you will have to set them to auth relevant Step 4: Ideally the upgrade should be transparent to the end users. So queries should remain the same and the roles need to be updated with new authorizations. However if you to re-write some queries as part of the upgrade, that’s fine too. Step 5: You need to get some help in how to analyze BW security. This site can provide a start  but some of it just comes out of experience. SAP has a good training program for BW security –  BW 365. Try if you can go for it.

Step 6: Restrict access based on either value or hierarchy authorizations – How does security work currently? Both were supported as part of the reporting authorization. Step 7: Once the authorizations are built, added to roles, tested you would need to move both the roles and the analysis authorizations to production. I will end by re-iterating that if this is indeed your first BW project, get help from someone who has actual experience with an upgrade. Q. I’m new in SAP BW and I’m in migration process to the new authorization concept. Here is what happening: I have a role with all access to a company (*) of a provider X. I have another role with restricted access to a company (ex: COMPANY1, COMPANY2 and COMPANY3) of a provider Y. When I attribute those 2 roles to a user and access a query of the  provider Y, I can see all the companies when it was supposed to only see the 1, 2 and 3. What am I doing wrong? A. What does the authorization trace in RSECADMIN say? There might be a third authorization which is resulting in the extra access. The trace will tell you what all is happening behind the scenes. Q. How to set authorization relevant flag for 0TCAACTVT, 0TCAVALID, 0INFOPROV in RSD1 .In my system i found it in uneditable mode? A. Do you have security for changing these settings? Since these are Info Objects, this is better done by a BI developer rather than a security person. Q. how we can maintain the Authorization Values in Production? As the values in PROD system are quite different from the volumes and data in DEV. I have requirement to restrict on Hierarchy and I might need to change it in the Authorization values from time to time and can be done only in Production as I don’t have the same Hierarchy in DEV. Can anyone please help on how I can maintain the Auth values in Production system directly? A. If you are using hierarchies, you need to ensure that the hierarchies are maintained the same throughout the landscape or at least the top level nodes are present. Once these nodes are present you should modify your analysis authorizations in dev and transport to prod. Directly maintaining this in production is a very bad idea. Q. Is there a difference between assigning multiple info objects to the same analysis authorization object, versus, assigning each to it’s own analysis authorization object (other than the obvious need to add one vs. multiple objects to S_RS_AUTH)? A. No difference in the two approaches except in the design philosophy. Q. Once an analysis authorization is generated, it will no longer let me modify it. Is there a way to get around this?

A. Maybe you have created access for S_RSEC and S_DEVELOP but not change. Q. I was wondering if you would know if there is a way to disable the “publish” functionality within the Bex Query Designer in BW 7.01. It appears that although a “reporting” user who has no authorization to save queries (only has S_RS_COMP ACTVT 03,16,22) can still open the Query Designer through the Analyzer and still publish a query to whatever role they have listed in S_USER_AGR. I am using S_USER_AGR because the reporting users should still be able to create workbooks and save them to the menu roles? A. Unfortunately, SAP security doesn’t distinguish between saving queries and saving workbooks to role. And publishing to roles is just another way of saving to roles. I don’t think there is any way to restrict publishing queries without affecting the ability to save workbooks to roles. You might try to put in some security in S_USER_AGR so that users can only save to certain roles. Also this is just a thought, since I don’t have access to a live BW system now. Try removing activity 22 from S_RS_COMP. This should stop you from assigning queries to roles  but not sure if it will impact workbooks as well. Best of luck! Please tell us what you end up doing. Q. I would like to check with you on how the system checks BI auth. Does it check every  possible combination? For e.g.: user is assigned with 2 analysis auth as below: A: plant 1000, purchasing group (PG) 100 B: plant 2000, PG 200 When the user runs a report and fills in the fields with plant : 1000, 2000 and PG: 100, 200, he/she will actually get no authorization. When I checked the trace, it looks like the system is checking for: 1) Plant 1000, PG 100 2) plant 1000, PG 200 3) plant 2000, PG 100 4) plant 2000, PG 200 In this case, the authorization failed because there is no such combination for 2 and 3 in my analysis authorization. Appreciate your advice if my understanding is correct and how do we work around this apart from asking the user to run the report separately for plant 1000 and 2000? A. First of all, let me thank you for asking such a great question. Understanding the behavior of the SAP security system in different scenarios is likely to benefit others visiting the post. Now to your question. Your interpretation about how the system is actually behaving is absolutely correct. System checks that you have access to all 4 combinations before giving you access. So with the two authorizations that you have, you will face an authorization error. The easy workaround for this as you mention is to ask the user to run the report twice with the different

combinations of values. To help the user, you can actually save the combinations in two variants and ask that these be used instead of manually keying in the values. Finally, I am not sure if you  just picked up an example with the above scenario or are actually trying to solve a business requirement. If this is an actual requirement, you might want to check the enterprise structure (the relationships between plants, purchasing groups and users) in your organization. Typically I have found that buyers are assigned to purchasing groups and might be responsible for one or more plants. So the requirement that a buyer should have different purchasing groups for different plants is a bit different from what I have seen till now. If after further research you find that that the buyer is really responsible for PG 100 and 200 in Plants 1000 and 2000, the  best solution would be to create a single authorization with Plant 1000, 2000 and PG 100, 200 instead of the two that you are currently using. Q. Does St01 reports missing values of s_rs_auth object? What is that restricted user? A. For missing S_RS_AUTH objects i.e. Analysis Authorizations; you would need to use the trace function in the RSECADMIN transaction. I am not sure about your second question though. Q. I cannot find any entry, in CMC home, although I have SAP_ALL. I.e. under Organize, there are no entries, i.e. Folders, Users and groups? How do I get these entries? A. SAP_ALL will not give you any rights in BOBJ. What you see in CMC is controlled by the rights assigned to your user in BOBJ. Q. I have deleted de administrator rights to manage user groups. Do you know how can i recover this? A. There should be a default user account called “administrator” which should have access to everything within BOBJ. However if you had changed the rights of the administrator group itself then you are out of luck.

H.R SECURITY:

Q. Do you know the use of parameter UGR value 10 and why we have to make sure it is not abused? Should we not assign SU3 to users so as to prevent them from updating this parameter? A. the UGR parameter is meant for default HR user group for a person. The user group is used as  part of config entries to control the user interfaces (for example the info type entries or number of tabs) in standard SAP HR transactions like PA20, PA30, etc. Also, this parameter just controls the user interface. So security will always be checked in the backend and there are ways to display info types even if they are not in the default interface. I am not aware how user group 10 has been used in your landscape as this is totally dependent on configuration. Please check with the functional HR guys about the ways in which user group is being used in your system. As you mention any user with access to SU3 will be able to change the default values for UGR maintained in their user master. I don’t believe taking away SU3 is the solution in this case as this might have other implications for maintenance. However someone (a process owner) has to take a call about the sensitivity of users changing their UGR parameters. Q. Normally we do assign below parameters in SAP HR system:CATS_APPR_PROF ESH_LINE CVR Z_ESHER  MOL 45 Can you please let me know why do we have to assign them in SAP? A. User Parameters in general are used to provide default values for various transactions/applications CVR is used to provide the default time entry profile in CAT2 MOL is MOLGA or the default country grouping CATS_APPR_PROF is the default for the CATS approval profile used by Time Approvers. Q. Do you have a list of critical Info types/ subtypes that we should make sure are secured in any SAP Environment?

A. but I don’t have a list of critical info types which might be secured as any list will vary widely with country or even the industry that you work for. Security for HR data is all dictated by the  privacy policies of an enterprise or the prevailing privacy related laws in the country. It’s normally not dictated by the security team. I would suggest getting in touch with the Privacy Officer or the Chief Information Officer in your organization for guidance on what needs to be  protected. Give them a list of the info types in the system and ask what should be the protection level for each of them. Q. Regarding info types…why is info type 0105 subtype 0010 important and why is it that it needs to be maintained? A. Not absolutely sure, but subtype 0010 is probably for email. Check transaction SPRO for info type configuration. You can get names of all info types/subtypes defined in system. Q. I am working on an implementation project. When the HR person is trying to create PERNR records via PA40, it is giving an error message No authorization to maintain actions z1 exists, is this anything to do with info types? Any idea how to resolve this, since su53 and trace do not catch any missing authorizations? A. To run any actions in PA40 you need write access to info types 0000 (Actions) and 0302 (Additional Actions). My guess is Z1 is the custom action type that you are using for hiring employees. You can use this as a subtype for IT 0000 if you have a requirement to secure actions at action type level. However, a trace should catch this error. Q. Whats the difference between employee and applicant in HR. Personnel Administration (PA) data consists of attributes for people, whether employees or applicants and is stored in the PA info types? A. From a functional HCM level there might be a lot of difference and I wouldn’t claim to know all of them. In brief, an applicant is basically someone who is looking for employment in your company. Once he is hired he becomes an employee. The tables storing applicant data are of the form PBXXXX instead of PAXXXX which store employee data. The transactions and authorization objects to restrict applicant data are also different. For ex, to maintain applicant data you would use t-code PB30 and secure it via P_APPL object. Typically security requirements around applicant data are less stringent than for employees. Q. Actually I have to provide table level security only for all those hr tables which have restricted data and should only be view by responsible person’s which have required authorization. So As per till now if I restricted all tables started with PA*, PB*, HRP*, HRP*, PCLn will this cover my requirement?

A. I think you are good with identifying the tables. We do have a few other tables which store HR configuration data but I don’t believe these will need to be separately secured because these are not storing employee data. The key point to remember about privacy is to secure access to PII (personally identifiable information). Q. Difference between P_ORGIN and P_ORGXX, why and how P_ORGXX used to restrict access? I have read the basic difference between the objects, the fields are different, but what I do not understand is the application of this object? The fields related to various administrators, what do they signify? DO we fill Pernr/User ID of admin.there? **A user has authorization for data for only those time intervals when user is assigned to P_ORGXX and/or P_APPL objects. Is it the same validity range which we enter while assigning a profile/role? A. The fields available in P_ORGXX are different from those available in P_ORGIN. So  basically its comes down to which one of these two helps you to map your client requirements. For time logic and period of responsibility, I will refer you to SAP documentation. I cannot  better explain the various cases than what the documentation already says. Q. Do you happen to know what HR table contains Time & Expense data? Is it available in HR Cluster Tables (PCL1 & PCL2 – Relation ID: TE / TS)? If yes, how do you access data from these HR Cluster Tables? A. the HR Clusters store payroll and time evaluation results among other things. I am not sure about the expenses data. SAP provides standard reports to read data from the clusters depending on which of the clusters are being read. Directly reading the cluster tables would not help too much. Q. Do you have any case studies of Structural Authorization being applied in ESS/MSS? A. However, I can briefly share my own experience working on this ESS shouldn’t need the use of structural authorizations as you are basically accessing your own personnel record. The only exception to this is a situation where every user using ESS is restricted to certain HR objects. I have not used structural authorizations with ESS. MSS will on the other hand need structural authorizations in all but the simplest implementations. In MSS, a line supervisor is basically restricted to view his reports. Here in addition to the info-type access, the user can be assigned a PD profile which traverses the standard org hierarchy. SAP provides a standard Functional Module RH_GET_MANAGER_ASSIGNMENT to evaluate the org hierarchy dynamically at run time. This allows a single PD profile be used for all managers. We used a similar design in our system. Q. What are the implications of having P_PERNR with authorization level set to *, info type set to *, interpretation set to * and subtype set to *. Since Interpretation is set to * would the system consider it E or would it consider it as I?

A. From a design standpoint, P_PERNR should never be used with interpretation set to * as * might be interpreted either as E or I depending on the SAP version. Also logically * in this field does not make any sense to me. I would also be skeptical about using * in the info type field. Q. I am implementing ESS/MSS for a client without structural authorization. The problem I have come across with setting up the authorization for ESS/MSS is that the webdynpro service for display of pay slip checks the access to P_ORGIN, which will interfere with our backend payroll access. I have read that the check should be switched off in the portal. Would you agree on this, and how can this be achieved? The auth objects checked for webdynpro services do not appear in SU24? A. I might be mistaken but I have not come across an situation where you could switch off checks for P_ORGIN for a webdynpro application. If the webdynpro is calling a report in the  backend, you can investigate the use of the P_ABAP object. However, if you are just trying to use ESS to view a person’s own pay slip, P_PERNR should be enough. This object only opens up access to a person’s own personnel record so should not pose a problem to your existing  payroll security. Let me know how you end up solving the issue. This would new visitor to the site. Q. For structural AUTHS to work must we need to update table T77PR (user assignment to structural profiles)? Have been told we can assign structural AUTHS profile directly to a PFCG role using P_orgXX. The table t7PPR will slow everything down? A. The T77PR table holds the definition of the structural authorization while T77UA stores user assignment for PD profiles. There are ways to get away from maintaining this table but you would need to use a user exit to read the PD profile data from the roles. Just updating an auth object will not work. Q. How do you go about this situation? You want payroll administrators to be able to maintain their bank details, personal info etc on ESS but not on the back end using PA30. How do you restrict this from happening? A. Can’t be done with standard security. You would need your development team to code in an enhancement for either the ESS application or for PA30. Q. I can’t understand when the authorizations for the info types restricted via P_ORGIN and P_ORGXX, why we need PLOG object? A. PLOG controls access to OM objects and info types. P_ORGIN and P_ORGXX control access to PA info types. Q. Are there any disadvantages of using COARS=2 in roles? Are there roles where we should always use value 1 vs. using value 2? A. Ideally you shouldn’t be using P_ABAP in too many roles at all. And whenever you use P_ABAP in roles, it should be restricted to the particular report name which should be run with

simplified security checks. Also both the possible values have their uses but in different situations. I am giving 2 common examples: 1 is used for HR administrators who already have access to sensitive HR data. When a person with this level of security accesses the HR data of a large number of users (like for a mass data export for a country during payroll), a P_ABAP value with 1 can shorten the execution times. 2 is used to give non HR users (like helpdesk staff) access to non sensitive HR reports. Since a value of 2 will make the report run without any HR security checks, if you to ensure that the report doesn’t display sensitive data. We use P_ABAP in such cases as otherwise we would have needed to maintain P_ORGIN (ORGXX) authorizations for these users and which would in fact allow them greater access to HR. The Privacy Officer or Chief Information Officer can help you in the determination of sensitivity of different data and the people who might access them. For any questions on access to HR data, these people should always be consulted as violations might be against corporate policies or  prevalent laws. Q. I have a question or two about context authorization. My client already has SAP HR implemented with much needed clean up as no best practices were adopted. Currently their context authorization is not set up but they have set up lots of existing structural profiles without any documentation to guide me. My questions are: 1. How do I sort out which structural profiles to use? How do I assign say a Time Admin in a specific PERSA to the correct profile. I mean how do I decide which of the matched profiles to use and how do I test. They have given me no data and no documentation. 2. If they have assigned several objects manually in the role, how do I decide which t-codes to assign to p_orgincon in SU24? 3. I assign the user to the structure in OOSB and also add the same profile in p_orgincon? A. Are your clients using structural security at all? If not you can just ignore the existing profiles and start building profiles from scratch. If you build from scratch you will probably have to do more work up front but will have a cleaner design. Whatever the case, I would suggest that keep the number of PD profiles to the minimum. Use PD profiles for security only when general security can not meet the requirements. If your client already uses structural security but now are moving to context solution, you can get an idea about the functionality of the PD  profiles from looking at OOSB and checking the roles assigned to users who are also restricted  by PD profiles. Another way to find the objects returned by a PD profile is to check the PD  profile definition in OOSP and click the I (information) button adjacent to each profile entry.

Once you have the PD profiles that are applicable for each HR role, you would need to add these  profile values to P_ORGINCON (or P_ORGXXCON) in the PROFL field. The other field values for these objects would be the same as the corresponding P_ORGIN (or P_ORGXX) values. Q. I have managed to sort out a few issues with my current client. I have implemented CONTEXT for HR. I have a few requests from my client and I can’t seem to find a solution although from a CONTEXT point of view my role design should have worked to restrict access to IT0008 such that HR employees should be able to see their own IT008 records. 2. They should  be able to R/W/E IT0008 for all non HR associates. 3) HR should be able to R/W/E. data for all associates in the organization including HR (that is all info-types excerpt IT008 for HR associates.) My client doesn’t want to create a PERSA for HR nor designate ORG KEY to HR. They do not want to assign two users ID(S) to HR associates. My solution: 1) Create a PD profile with the HR org unit as the start object. 2) Assign both ALL and the new HR PD profile to HR associates with the exclusion button checked for the HR PD profile in OOSB (T77UA) 3)Assign the ORGANIZATION PD profile in the role that allows the user to access his/her IT0008 records but excludes IT0008 as a value in AUTHC (0000-0007, 0009-09999) 4) The role that gets the ALL PD profile also gets IT0008 as a field value. P_PERNR= R,IT0008, I, *. PA, EG, ESG ORG KEY same for both roles RESULTS: 1. User can access his/her IT0008 records 2. User can access all records of all associates outside of the HR department 3. USER CANNOT ACCESS ANY RECORDS OF OTHER HR ASSOCIATES How do I solve this? Will an in-house FUNCTION MODULE work to exclude the HR during runtime for IT008? A. I will take a shot at this but cannot guarantee if the solution will work. For simplicity’s sake I will assume that you are currently using P_ORGINCON and P_PERNR for securing PA data. Create a copy of the ORGANIZATION PD profile say XXX and also assign this to the HR folks in T77UA. In the role giving PA access following authorizations will be needed. P_ORGINCON INFTY 0000 – 0999 AUTHC R, W, E PROFL ALL, ORGANIZATION

P_ORGINCON INFTY 0000-0007, 0009-0999 AUTHC R, W, E PROFL XXX P_PERNR  INFTY 0008 AUTHC R  SIGN I Other than this have you given thought to the fact that who actually updates IT 0008 for the HR Team? Your requirement can also probably be met by using P_ORGXXCON by using separate HR Administrator groups for the HR folks and the rest of the employees. Let me know how it goes. Thanks for the question. First time I have come across this requirement but does sound like something that a lot of clients can ask for. Q. I have requested the ABAPERS to build an in-house FM that skips the HR org unit. I will see how a combination of this FM allows restriction for IT0008 to HR associates while granting access to all other records for other associates including HR. I will post my findings once I succeed. 2. Today, a defect was raised while accessing retiree records with CONTEXTUAL authorization.. As I understand it, all field values will have to pass authorization checks in order to grant access. If the PERNR (RETIREE’S) is accessed, how will P_ORGINCON get around it if PROFL check does not find the “PERSON (PERNR) in the ORG structure? Retirees no more have any position assignments in the ORG structure. 3. Recently, I requested that the DEV client be copied so that I can implement the CONTEXT solution. When a user executes SA38 and runs a report for a PERNR, it seems to work but the system directs it’s output to a printer. Once print preview is pushed, it starts generating the report  but it terminates halfway through the report without generating an error message at the status line. When I execute SU53, the authorization check is asking for P_ORGIN?? STRANGE!! OOAC switches are set as ff: ADAYS=15, DFCON=2, INCON=1, ORGDP=1, PERNR=1. ORGIN=0 and everything else is set at “0 . Do you think the printer settings could be the culprit? I have already asked BASIS to reset but the error still prevails? ″

A. Good luck with your function module though I am a bit skeptical about the robustness of the solution going into the future. Org units change in the course of time and a FM hard-coded to skip a particular org might create more difficulties in the future. But as long as the business owners are onboard, you shouldn’t have to worry. After retiring, the erstwhile employees will be  part of on the so called default position (9999……).The SAP systems access to these is

controlled to the different values of the DFCON switch. Check which one works for you. There is a post in this blog which specifically talks about the DFCON switch. Finally, the last error has anything to do with authorization. There is a user parameter (SAU) for writing to spool which might be at fault here. Q. Is the security team responsible for t-code PPSOSE or is it the HR Functional team? If it is the HR functional team then how much of a role does the security team have in the managing the org structure? A. I think you have asked a very pertinent question and one which doesn’t have any clear cut answers. The security involvement in OM will vary with each installation. Ideally for a installation using any SAP HCM functionality, the HR consultants or the HR end users should be managing the org structure. At best, security will be involved in only a support/consulting role for org structure management. However, there are 2 areas in OM where security would be involved at a more detailed level. Firstly if you use indirect role assignment (roles assigned to OM objects instead directly to end users) and secondly if you use structural authorizations. There might be a third case, where OM is implemented just to facilitate the above two security processes i.e., indirect assignment and/or structural authorizations. In such a case, the security administrator might be expected to take over the entire org management responsibilities. Q. Is the security team responsible for t-code PPSOSE or is it the HR Functional team? If it is the HR functional team then how much of a role does the security team have in the managing the org structure. I wanted to find out if there are any pros and cons of using indirect role assignment vs. direct role assignment. Are there additional steps that we need to take in order for the smooth functioning of indirect role assignment? A. The basic idea behind indirect role assignment is to reduce maintenance effort during role assignment to users. In indirect role assignment roles are assigned to OM objects like jobs,  positions, tasks, org unit, etc. Thus any person linked to any of these objects will automatically get the access without the security Admins having to assign roles manually. There are quite a few technical prerequisites to fully implement indirect role assignment and I plan to cover these in an new blog post in the near future. However, the out of the box configuration that SAP  provides are sufficient to implement some form of indirect role assignment. The critical success factor for indirect role assignment is to understand how correctly your org hierarchy mirrors the roles/ responsibilities of your users. Some of the questions that need to be discussed with your  business owners, functional consultants and security team are: What is the correlation between the roles/responsibilities users and their position in the org structure? Who will be responsible for maintaining the org structure and how frequently?

Will users need their old access even if they move to a new position? How will contractors be given access? Contractors are normally not part of the org structure and don’t occupy a position. So do you continue to directly assign roles to contractors or do you link them to the org structure in some way (for example through positions/jobs/tasks)? Are you only concerned about a central ECC system or are there other systems in the landscape (BW, CRM, SRM, APO, etc)? Will the roles assigned in these other systems also be determined  by the users’ positions in ECC? Q. I wanted to find out how do we restrict users from changing the org structure while giving them access to update the org units (moving positions etc. in their own org units)? Would restricting PPOM, PO10 etc be sufficient or are there other steps we have to take to secure the Org Structure? A. To work with OM objects (which includes org structure) users need update access to the appropriate objects types, activities through the PLOG authorization object. You can try restricting users to only being able to create certain relationships (subtypes for IT 1001). In case this is not sufficient, structural authorizations can be used to restrict access to only certain objects. I don’t think restricting access to some transactions would work. Q. how everything fits in together…how are the hr objects, structural authorizations, evaluation  paths and org structures interconnected in a SAP System. Its like for any system to work what are the steps that need to be followed..i don’t necessarily want to know how things are done but  just an outline as to what all should be in place for the smooth functioning of the HR piece in SAP? A. As far as general authorizations (roles) are concerned, there is not a whole lot of difference  between HR and other functional areas. So you basically analyze the current business processes to arrive at a suitable user-role-t-code matrix, build your roles, test the roles and move them to  production during go-live. For structural authorizations to work there are quite a few steps which need to be configured correctly. The key thing to understand is to ensure that all the steps have  been accounted for rather than follow a set sequence of steps. I would try to follow the following sequence but other sequences would probably work just well. Also remember that a lot of the following steps would typically be performed by the HR consultants. - Start with setting the authorization switches, the integration between PA and OM should also  be on (check with the HR team for this step). - Build the org hierarchy - Determine if new object types and/or relationships are needed. If needed configure these in SPRO. - Adjust existing evaluation paths or create new ones. - Create PD profiles. Use static assignment of objects, evaluation paths or function modules depending on requirements

- Decide on an assignment strategy for PD profiles (direct assignment or assignment via IT 1017 to positions/jobs/ etc). Always remember, that the sequence will change as you keep working on your project. New requirements will come which need to be incorporated into your design. Q. I assigned a PERNR (person) to a position in the ORG structure using T-CODE PPOSE. I then run the reports RHBAUS02/01/00 for the user assigned the PD profile for which the ORG unit (that incorporates the position assigned to the PERNR), is the root object. I noticed that T77UA updated the new entries in SAP memory and I was able to see the new PERNR in OOSB. However, when I execute PPST, I do not see the new PERNR (person) that I had assigned in PPOSE although I can see the ORG UNIT and the other PERNRS. Why did PPST not update to return all newly added objects? Is there a report that needs to run first in order for this update? Info type 0001 also updated right away for the PERNR after the assignment in PPOSE. OM is a little confusing as different views show the hierarchies differently. Which hierarchy is reliable for building PD profiles? PPOME, PPOSE OR PPST? I know that without a reliable picture of the ORG structure, it is impossible to build PD profile with a start object that incorporates several org units? A. What is the evaluation path in the PD profile which is returning the pernr? Ideally this evaluation path with the same start object should return the same hierarchical tree in PPST. I normally use the evaluation o-o-s-p in returning the org structure of a company while building PD profiles. Q. HR Admin is trying to recruit (Hiring process) (T-code: PA40, Info-type 0000, action type 1B-Hiring )one employee to particular position whose position is will active from 01.09.2012. But Hr admin getting error saying “your are not authorize to the position “XXXXXX” “. Here my doubt is user can’t hire a person until the position will active. I mean until it is available in ORG STRUCTURE (T77UA)? Then only he/she can able to perform hiring actions? Means we can hire a person on that date when the position is active? A. A lot of things might be happening. Start by running a security trace and check that you have all the different auth objects being checked. Then start looking at structural authorizations. Are you trying to hire to a default position (99999….)? Then check auth switches DFCON or ORGPD as applicable in your setup. Q. I set up a structural authorization in OOSP to restrict the view of a person to a specific org unit only (in PPOSE, PPOME). It’s working well, but the person can’t seem to view and create  jobs in PPOME. Can u help me determine which evaluation path in OOSP i should give the user access to? A. This is more complicated than you think as different evaluation paths return different objects depending on requirements. Do you need to restrict view for any jobs? If not a single entry in your PD profile for the object type without specifying any object id or evaluation  path will give access to all jobs. If you need specific jobs, get in touch with your HR team for guidance.

Q. This is more complicated than you think as different evaluation paths return different objects depending on requirements. Do you need to restrict view for any jobs? If not a single entry in your PD profile for the object type without specifying any object id or evaluation  path will give access to all jobs. If you need specific jobs, get in touch with your HR team for guidance? A. The lines in the PD profile with the just the object type specified denote that this profile gives access to all values for this object type. Q. We are implementing structural authorizations and its working perfectly for managers but employees are unable to see any data not even their own data. We are using get manager function module for managers and get org assignment for users. under evaluation path I have given O-OS-P FOR both manager and user profile. When I gave * in user’s role for profile field in P_ORGINCON it works fine? A. Do you mean that managers can view data for their reports but users can not view their own data? Access to users own data is controlled through P_PERNR. You don’t need to use a PD  profile for controlling access to own data. You should also check if the access issues are for users own default position or users trying to access other folks on default position? Your statement about about * in PROFL in P_ORGINCON suggests this as one of the potential  problems. Access to employees on default positions is controlled through the DFCON auth switch. There is a separate blog post here which talks about the various values for this flag and their impact. Q. I am trying to use function module RH_GET_Person_FROM_USER to get the personnel number of a user so he can get access only to his pernr in the structural authorizations. When i go to se37 and test the function module it is working fine. But when i try to use it in structural  profile, it’s not giving output when the user tries to view his data in PA20. I think i am using wrong evaluation paths; I tries P-S-O and A008. But no luck. It will be great if you can point me in the right direction. I am not sure what is the actual relationship type between Person and user (between P and US object types)? A. If RH_GET_Person_FROM_USER just returns the pernr from the user id, you do not need any evaluation path or relationship in the PD profile definition. Just set the object type as P and FM as RH_GET_Person_FROM_USER. Q. I am new to HCM, and in the process of creating roles for our HR users. I want to allow a group of user’s access to display all employee types, but only update hourly employees. I can’t seem to find the authorization object that allows this? A. The key to solving this is to understand how hourly employees are classified in your system. Typically hourly employees will be a separate employee group/ subgroup. If this holds true for you client, you can use P_ORGIN or P_ORGINCON for restricting access.

Q. Is the creation of function modules responsibility of the security team or the HR functional team? Also what are the benefits of function modules? A. The function module entry in OOSP (PD Profile Definition) is meant to determine the start object dynamically during run-time. If you are comfortable with ABAP no one is really stopping you from writing your own function module. However, in general security administrators shouldn’t be expected to write code. In fact the HR functional team is also mainly responsible for configuring the system. Writing code is almost exclusively left to the ABAP team. Q. Do we need to have indirect role assignments when using Function Modules or would Direct role assignment work them function modules just fine? A. The function modules are used for defining PD profiles. There is really no connection  between using FMs in PD profiles and using indirect role assignment. Q. In OOSP under the auth profiles I see sequence # and different object types, object IDs and different evaluation paths…so when we assign an authorization profile to the user how does all this come into play? Like in your example above the profile Manager has so many entries and if a user A is assigned the profile Manager then what evaluation path does this user get access to? A. While defining PD profiles through OOSP, please remember that each line (sequence numbers 1, 2, 3) are independent of each other. Each line will give access to the objects returned  by the evaluation path mentioned under it. Q. when we assign the auth profile to the user then which authorization profile (which one from the sequence) is assigned? A. If you take the example of MANAGER profile, it’s a single profile with a number of independent lines in its definition. So every line in the sequence will be independently assigned to user, once MANAGER is assigned to user in OOSB. Q. I am facing a peculiar issue with PD profiles. As per business requirements, I have used 2 evaluation paths. 1. O-O-S-P (display only for US) 2. ZU-O-S-P (for IT department only) ZU = business line (like HR, IT) O = Org units like US EMEA AUS I wanted them to work together and I can give a person access to only IT only in US. However, it doesn’t work that way. The user is able to access all ZU-O-S-P which means he can change Orgs for India also?

A. Check if the evaluation paths are working correctly. Transaction PPST is a good place to check this. If evaluation path needs to be corrected you would need to get in touch with OM consultants. Q. I would like to know if I can view who created a PD Profile on OOSP? A. If you have table logging set up in your SAP environment, you can look at the changes for the T77PR customizing objects in transaction OY18 or SCU3. Q. On Info type 1017 do you know what the exclusion column is all about? We thought that if you had a large Structural authorization and there was a request for a user to have access for all  but one org unit the column was ticked which seemed to work for PA20.Oa30 access but not for training and events as it prevented the training catalogue from being displayed. I have read somewhere else that it is for the exclusion of branch structures from structural authorizations? A. PD profiles as you probably already know are used to restrict users to a certain set of OM objects (positions, org units, persons, jobs, etc). The exclusion flag in T77UA table or OOSB or in IT1017, all serve the same purpose. Once checked, the user with this particular PD profile has access to all objects which are not part of the PD profile. Q. I wanted to find out if there is a way of mass removing the PD profiles from the users. We have 200 users that we are trying to remove and going into OOSB and doing it one at a time would be probably a day’s work. Can you please suggest an easier and less painful way of doing it? A. I don’t believe there is a transaction for mass removal but you can use any of the existing tools for mass action for removing profiles. Thus either of SECATT, LSMSW or SHDB will work. This blog already has another post on how to use LSMW for mass user creation. Creating a script for PD profile removal will follow the same general steps. Q. I wanted to find out what is the best way to approach this issue. We have multiple time keepers in the company. Would the best way be that for all the time keepers I create one role and make personnel area as an org level and assign them the personnel area they are responsible for and assign them each a PD profile with the correct evaluation path they are supposed to access or is there another approach I should take? A. My personal view to use structural authorization only in those cases where, general authorizations would not be enough to meet requirements. In your case, if timekeepers are responsible for all individuals in personnel areas, a general authorization solution should be enough. In the case, where timekeepers are only responsible for certain people in a personnel area, only then should you be thinking of setting up structural authorizations. ** I think the T-code used to assign PD profiles to users is OOSB where as OOAC is used to maintain auth switches.

Q. Explain the process of assigning PD profiles to OM objects like positions? I am not able to navigate to the screen which you have shown above in the example through PP01/PP03. Kindly explain with some more detailed steps to get to the above screen? A. PP03 allows you to modify positions. To add PD profiles select the position in PP03, select the position id in the initial screen, scroll down and highlight PD profiles at the bottom of the screen, and create the new entries for PD profiles. Its this screen that’s copied in the above article. On saving the entries, the PD profile is attached to the position. The same process can be used in PP01 as well. Q. How do you deal with multiple employees seeing their own pay slips? The problem is that we have managers who are ME’s they are a manager within one Org unit and a normal employee in another org unit. With structural Authorizations they can see their own Org unit and staff. But to display their pay slip via the portal the program determines that they need to see their second (third etc) job to which they do not have authorizations to see that employee. Even though it is their own second record? A. First of all, this is first time I am hearing the exact term “Multiple Employees”. Do you mean employees who have more than one active pernrs using the concept of Concurrent Employment? How do you identify the different pernrs linked to a ME? Once you find the answer to this question you need to write a function module (it will follow similar logic to the RH_GET_MANAGER_ASSIGNMENT function module supplied by SAP) which will dynamically take the user id of a person and identify the different pernrs assigned to him. This Function Module should be used as a new line in the existing PD profile for managers. Q. I would like to understand this from a Blue print perspective in regards to HCM- What I have at the moment is BPML from the Functional team as a base template to start off..But I’m puzzled how to start off with the requirements gathering-how would I know a specific task/activity to group it under a Business Role? Is this Functional team driven or Security driven? Since the workshops between Functional team and the Client happened without involving security team. How would I best approach it? Please share your thoughts? A. The job of determining business roles should be owned by the clients as the business roles are really unique responsibilities of their business users. Start with a meeting where business reps, functional consultants and security folks are all involved. A simple breakup involves determining the unique teams working in their company. For HR, you will might have different teams for recruitment, benefits, compensation, staffing, organization management, payroll, time entry etc. Some teams might have sub teams as well – external, internal and flexible staffing comes to mind. Once the teams are identified, you can start by building roles and use the SAP* template roles provided by SAP as guides. Add/ remove t-codes depending on feedback from users and functional teams. If you are using GRC, run a risk analysis for your roles to see which all have inherent conflicts and need to be adjusted.

Q. Context based solution (P_ORGINCON) – Profile name is added to PROF Field of P_ORGINCON. T77UA is not updated. 2) BADI HRBAS00_GET_PROFILE (for automatic profile assignment) – Does not update table T77UA. 3) Two functional modules - FM 1- Standard – RH_GET_MANAGER_ASSIGNMENT for managers. FM2 – Custom – ZFM…. – For Central HR Professionals which provides access to Org units based on Contract value in IT0001. Now, we are pulling ECC/HR data to BW system using 0PA_DS03? Issue  – I found everything seems to be working fine (BADI, Standard FM and P_ORGINCON) in ecc side (RSA3 and on BW side. However, Custom FM works perfectly on ECC side (displaying data in PPOSE etc.). But it does not show up any records when checked in RSA3. So data which is going to BW is also not correct. How and where is the problem? A. Remember that this is a standard extractor delivered as part of the business content and you might need to tweak the logic to make it work for you. Since, your structural security is working  properly on ECC the matter would be better investigated by one with more experience with extractors. Also check that the id you are using for RSA3 or running the extraction has full general and structural authorizations. Q. The difference between normal mode & expert mode? A. Using the expert mode allows you to re-read the SU24 check indicator values and defaults during role maintenance. You can choose to merge these values with the existing values in the role. The normal mode will not give this option. Q. we should run RHBAUS02 first and RHBAUS00 later on a periodical basis in a organization where we can expect daily om changes. Please also elaborate on the use of job RHBAUS02? Are these jobs still need to be run when we are using context solution to assign profiles to users through roles using p_orgincon and orgxxcon objects? A. I think the functionality behind RHBAUS02 is already covered in the post below. Just go through it as I really don’t anything more to say. Normally both these jobs are scheduled to run in the background. RHBAUS00 should be scheduled once RHBAUS02 has finished. Q. I have built a PD profile (NEW-ORG) to exclude HR associates from seeing each other’s  pay(IT0008), while being granted access to update non HR Associate IT0008 records. It was a tedious process since it involved statically including all ORG UNITS except HR in my OOSP entries with P_ORGINCON maintained as follows: AUTHC=R, IT=0008, PROFL= (NEWORG). So far it seems to work. The only problem is that only current IT0008 records are blocked for fellow HR associates. Historical pay records for former position/org assignments are still

visible. From my understanding of CONTEXT AUTHORIZATION, the system only picks up objects defined by the evaluation path for OBJECTS, in this case OBJ=”P” and grants access in table T77UA. Why does a historical assignment still show in T77UA? Is there a way to lock historical IT0008 records from a SECURITY point of view? OR this can only be done through TC PA* access? A. If your PD profile doesn’t include the HR org units then how are you even getting read access to IT0008 of HR associates? Is there are other authorizations which give access to IT 0008? According to period of responsibility/time logic principles, if you get update access to even a single info-type record for a pernr, you would have read access to all records for the pernr for the same info-type. Were the offending pernrs ever on a default position? IF your DFCON switch is set to give access to all employees with default positions, you will have read access to all their info-type records. Q. I have implemented CONTEXT SOLUTION for Time Administrators in different geographical areas in the organization. When I assign a time Admin role to a test user everything works okay except that the user only displays half of the PERNRS assigned in T77UA (OOSB) when he pushes the entry help (match code) button for a “wide search” of all possible PERNRS. How do I display the entire list of object type “P” authorized in T77UA? I have already run the reports RHBAUS02 followed by RHBAUS00 but the user still matches only about half of the associates in the branch structure defined by the PD profile. …and yes I have assigned the PD  profile in P_ORGINCON field = PROFL. The user is able to update records for all PERNRS even (if they are not matched) but are authorized via PD profile. How can I display all PERNRS for users to select from? Where can I verify if there is restriction for match code range? The PERNRS not visible start from “41000+” AUSTW PERNR=1 and DFCON= 4 to allow access to non-integrated positions? A. If you can see a pernr in OOSB, the PD profile is not restricting access. Check the general authorizations (roles) assigned to the user to find if something is missing. Also in many cases, the entry help only returns the first 500 or so of the matches. This is certainly not a security error. Sure you are not facing this issue? Q. This is one of those instances where you think you have done everything right and yet the expected results are not what you get. For example when I execute PPOSE, I see two “PERSONS” assigned to the same position: Two Admin. Clerks. The only thing different about them is that one has a PERNR 40473 and the other 42576. They both belong to the same PERSA, EE, and ESG etc. In one of my P_ORGINCON iterations, I have customized as ff: AUTHC—M INFTY—0001 PERSA—* PERSG—* PERSK—*

PROFL—ABCD SUBTY—* VDSKY—* The entry help returns all PERNRS comparison->from users-> and across systems. But I am not able give exact rfc destination. How to find the rfc destination? A. Simple way...using SUIM segregates the roles form QA and PRD and compares roles using excel. Q. I copied the roles from production user and created new user in quality for testing. But in quality test user is not working as expected. So what should I compare? I have done copying roles in excel both are same? A. Take su53 using test id and make role comparison. Q. what is routing rule, give one example? A. Routing Rule will be used based on conditions at particular stage like No Role Owner Found, SOD Violations Found, Role Certification, etc. It means if condition is like SOD Violations Found at Role Owner Stage from Change User Account then the request will be routed to Controller Stage in SOD Controller Path...the mapping will be done in Maintain Paths n Maintain Route Mappings steps of MSMP tool. Q. what is centralized n decentralized FF? A. Centralized FF means - you need to login into GRC system and you can use FF IDs from GRC system itself..T-code GRAC_SPM/GRAC_EAM is for FF ID usage from GRC system. Decentralized FF Means - You need to login into that particular Plug-In/Backend SAP system to use FF ID. T-code /n/GRCPI/GRIA_EAM. Q. Can anyone tell me why Enabler roles will be used in specific organizations? How they are created and why will a client go for those roles creation in SAP? A. Enabler concept is not recommended by SAP. It is actually used to reduce the number of roles. It will eliminate the concept of parent and child role. If your project involves huge number of derived roles and if you want to cut them down you can go for enabler concept. But it somehow degrades the SOD analysis efficiency. Someone who has in depth experience please  post your thoughts. Org values are maintained in a separate role ... Here we need to maintain two types of roles 1. Role with only objects 2. Role with only org values. So if any user asked for

access to any transaction for any org value you may have to assign two or more roles depending on the requirement. Q. why an info-object should be made authorization relevant in BW? A. To get the required data you need to run a query. Each query will have some fields with restrictions. To restrict those values you need an analysis authorization. You can maintain the restrictions through Analysis Authorization only when the object is Auth relevant. Q. what must I check if roles for a user in child system is not reflecting in the CUA? A. 1. Run SCUL 2. Check in SCUA whether all RFCs are showing green or not. 3. Run Text comparison from child systems. Q. list out compelling reasons why we it is best practice to disconnect child system from CUA  before we refresh Child system - Please mention Possible Impact if this is not done. 2. Please help me understand When/ for what purpose is it useful to use RSDELCUA from CUA and When from Child (I.E. Complete disconnection versus Temporary Disconnection). A. disconnecting the child system through SCUA for any upgrade is not right practice. Always run RSDELCUA in CUA system so that it will disconnected completely. For this activity we should have CUA administrator access. Otherwise after reconnecting the CUA while transferring the users from child system to CUA using SCUG some users will lost some access. Because child system was not completely disconnected and still some entries will exist in CUA. That will cause reverse of CUA entries to child system. Finally user will lose the access. Q. What is the functionality of s_rs_fold in bi security? Why we need to hide info area push  button? Explain? A. s_rs_fold main purpose is whether info area button should be visible or not. It’s better to be hided because the End user cant select queries from the Info area button and run random queries which they are not allowed or authorized. Q. I have an issue with BI user in prod system, While executing BI report from portal its showing error " Characteristic Valuation view has no master data for # value or you do not have authorization" user can able to execute in DEV and QUA systems without any error but access is same in all the systems. If I assign 0BI_ALL, user can able to execute report. What is the reason that user can able to execute in DEV and QUA with same authorizations but not able to execute in PRD??? is it related to portal or BI?? A. Can u do some search on below. I assume you have added # value in your analysis authorizations. But somehow that is not working in your prod system. There could be 2 reasons:

1) In prod # is not added in Analysis Auth. 2) Some SAP note is missing which allows access for  blank data (#). For 2nd case u need to do some research. May be ca raise a message to Sap. Q. User is trying to assign mitigation approver and mitigation owner to org.Unit but both are not visible while mapping to org unit. how will you trouble shoot? A. Check mitigation approver user and mitigation owner users are created in the system. Go to :  NWBC-> setup -> Organizations-> Click on " Organization" -> Select Child Organization-> click on open-> Go to " Owners" Tab go to " Add row" Here you can add both Approver and monitor after that these users will reflect . Q. How to create a single role with su01 display and su10 full access  Note1: Without using su01d note2: Without creating two separate roles for su01 display and one for su10 full access and assigning to the user.. And also use variant also... TIA? A. Not possible. They use same auth objects. Alternatively give access to SU01d. Underlying objects are same. Only option is to give SU01D. OR It can be possible if you control access on User Groups. Display Access on a particular User Group & maintenance on others. Also you can restrict access on particular Roles & profiles. I  believe it is possible only this way. - when you restrict on user groups the display/maintain access will be the same in both the t-codes. His requirement is different. Hence suggested SU01D + SU10. Q. could anyone explain what are the challenges we face if we give user id as lastname.firstname? A. Number of characters in last name and first name my not fit in user id. first name and last name can be same for many employee in organization !! and it can have more character allowed  by SAP for user ID. Q. What are internal fire fighter and external fire fighter tell me the differences? A. Such terms are not used for FF. Just a guess - interviewer may be referring as firefighting done by IS team as internal FF and the one done when OSS note is raised for SAP support as external FF ID since it requires a ID similar to FF ID which has almost all the authorization. Even then it's a FFID. Most of the people who are on the other side of the table want to prove that they are experts than the candidates. Hence these dumb and crazy questions.

Q. "configuration is locked by user" in msmp. How can I resolve this? A. GoTo sm12 delete the table lock entries. Kill account using (t-code sm66). Q. When a user logs in with the correct password he can log in to SAP system but if by chance he enters a wrong password and then try to log in with the correct password, SAP system is asking to change the password? User is a Dialog user and everything is fine in table USR02. A. The only reason can be that when a user logs in with wrong password, the password status converts from Productive password to initial password. This can be done by a custom program which triggers such change. Q. We got one request where user has to use the role only in specific locations, so we created a new role and restricted through org level values. But still user is able to perform all activities in all locations? A. ser may be getting authorization from other roles. Better to do UAT WITH single role which u have created with org value restriction and trace it where user is getting access to other locations. Check objects S_USER_GRP. And also check the respective org value in auth object. Sometimes we maintain values in both places org levels tab and in auth object level.

Q. Enabler role concept? A. Enabler roles are the ones where the t-codes and non org objects are maintained in one role and org values are maintained in another. User will get access to the t-codes when both the roles are assigned. Enabler roles are not a recommended approach of maintaining the authorizations as it allows people to do backdoor transactions. Even the Risk Analysis can't identify all the risks and you may end up with false positives. I do see some organizations that are using enabler roles even today, but if you are a solution architect, you should provide them the pros and cons and educate them. Q. In FF-ID why you’re using user type is service and why not dialog let me Explain? A. Change the user type to Dialogue instead of Service. You would know the answer. It will work for dialog as well.... The reason we use service user because the password for service user doesn't expire... So no need to reset password after every time it expires. FF ID can use only Dialog, Service, if you put FF ID as System, Communication, whenever you’re trying to use FF ID again it will ask the password and only Dialog, Service can use for FF ID, If you use Dialog for FF ID, need to pay license cost to SAP, if you use Service no need to pay license cost. and Password also will not expire and ask.

Q. how do we get default variables & templates in VARIABLES & TEMPLATES steps in MSMP? A. You have to activate the MSMP BC Set that will get the default variables and templates. Check in SCPR20 transaction code. *** Go to usr02 table and in uflag specify the value 64 and 192 then get the list for required dates. Increase the table width and output range just you need to set 9999 and 99999 in last two fields in the table.. By default it was 200 and 250. Q. when will we convert authorization field into organization field? A. Whenever you want to control any filed value by plant level then we need to create global value to Org value. . Ex: authorization group is global field now I want to convert this filed to org value . 1. go to se38 t-code and given pfcg_orgfield_create 2.give filed name which field you want to convert to org field. 3. Uncheck the test run option 4.execute. Q. How can we extract the list of user Email ID's in ECC? A. you can find user id and personal number in table USR21 and personal number and email id in Table AG(D)R6 and map them. Q. Which are fields can’t be maintained the user through SU10? A. you can maintain everything except password and user address data. Q. How to move all the users from plant to other plant? A. First in agr_1252 give org levels - plant, value give of plant execute Copy all roles and check in agr_users . You will get list of all users for that particular plant. Q. why we give org values in derived role only in parent and derived role concept anyone tell me the reason? A. Let take example as branches for a firm, there are 3 branches India Australia Singapore. Branches take example as company code, plant etc India derived role users restricted access only Indian company code plant etc Same derive roles follow org levels with Australia and Singapore. Q. Do you know of a table which can show the list of t-codes related to a particular authorization object?

A. Table is USOBT for standard, USOBT_C for custom .Other option is go to SU24 select Auth object tab and give the required Auth object and execute you will get list of t-codes which are associated with that object. Q. how to generate non-generated profiles? A. In supc t-code we have options 1.roles with noncurrent profiles 2.also roles to be compared 3.roles with no authorization data 4.all roles 5.roles with current profiles for new generation. Q. How to check deleted custom transaction history on SAP? Since the t-code is available on role but not in tstc table? A. Go to suim - change documents- give role name and execute. Check in AGR_1251 and AGR_TCODES tables. You may find the entry. Q. How to check deleted custom transaction history on SAP? A. SM20 Q. can anyone tell me what is the use of Transport of copies and Relocations? A. Transport of copies allows you to transport sub objects in an object list into any other SAP systems in which you want to. we use relocation TR when development system of a complete  package is to be changed on permanent basis. Q. Can you guys please tell me the t-code to see all the list of programs in sap system? A. Se16 with table TRDIR  Q. Anyone knows that how can we identify who has created critical auth variants in SUIM? A. Got you. There is no trace for the table. You need to enable trace for the respective table where you are maintaining variables and check in SCU3. Q. Hi Any one can you please explain Difference b/w ECC Security & B.W Security, What is important Authorization objects for B.W security?

A. BW security mainly based on analysis authorization which we need to protect info cubes, info objects, OLAP and queries also its divided into 2 areas, authorization for administrators and authorization for business users but for R/3 security its mainly based on t-codes and authorization is controlled via authorization objects using profiles and roles. S_RS_COMP, S_RS_COMP1, S_RS_FOLD, S_RFC, S_TCODE, S_RS_AUTH. Q. how can I mass update 2 auth objects in all the roles they have been assigned to TIA? A. You can update the Activity n values in SU24 for that object against t-code and regenerate the role via expert mode(provided if this doesn't impact your business) n needs thorough testing  before moving the roles further to higher systems . Q. User transfer to CUA - what do we do regarding the users who have default printers setup? These users are not transferred to CUA. Any suggestions other than creation of these printers in CUA? A. check in scum what type of distribution is set in defaults tab for printer. if global it will push  printer name to child system every time a change is made in central system to printer name for user.. Q. Once the tracing is completed (ST01), how can we resolve the issue for the user without tracing codes? A. RC =0 Successful (user is authorized) RC =4 Failed - user does not have authorizations but does have the authorization object in their  buffer (different authorization combination though) RC = 12 Failed - user does not have the authorization AND does not have not have the authorization object in their buffer. Q. Is it possible to delete the inheritance relationship on roles for multiple roles in a single time? A. Yes. You can use scripts like lsmw or secatt and record for one role and run the same for all other roles... It will work. Q. I would like to know if there is a possibility that authorizations get added to roles when you remove t-code from it... Kindly help me understand why this could happen or what can I check to know from where these "un-wanted" authorizations came in from?

A. check if the standard values of this object was changed earlier without duplicating it , incase if the standard value was changed then check from which t-code its getting u have an option inside the authorization tab to check it and then duplicate the standard value ,maintain your values manually and deactivate the standard one .when u change the standard values of the objects  pulled through the t-code it will keep on pulling the object every time u change the role ,so its always better to duplicate it and deactivate the standard values. Q. What are the few required checks one has to perform in the system to maintain the system according to SOX Compliance? If one has get the open system so what checks he/she has to  perform to go with the regulation? A. Basic SOX rules : who has change debug, maintain user master, change idocs, execute & maintain OS commands, import TR, system admin functions, assignment of profiles to themselves, change client settings, batch/background job admin access. Change profile  parameters access, TemSe objects, change owner of spool, lock/unlock SAP*, DDIC, SAPADMIN. Q. Where we can extract the LIST OF USER EMAIL ID's from the table? A. You need to Use two tables simple Vlookup you can get it (USR21 and ADR6) Q. Even after connecting the child system to the CUA I am able to assign roles to users in child system also, though user creation is still being done in central system? A. role assignment checked as global instead of central. Please check configuration steps. Cross check whether the target system mapped properly or not, and also checks the b.jobs. If all the settings are correctly preformed then execute the t-code BDM5 in CUA and perform consistency check for respective systems. Q. In pfcg when we will do the inactive/deactivate the authorization object? A. In export mode if we choose 3 rd option read old status and new status for the changed status to the object we will copy the object and deactivate it by doing so in future if we add a t-code and if in case it pulls the same object with same field values and if we changed it , it detect and if coming from same t code it will not pull again. Q. we are done SAP upgrade and the user is having same roles in both systems but they are not able to use SUIM and it’s throwing "NO AUTH" Error. A. Have you regenerated all the roles by using Expert mode 3rd option? If not, you may facing this kind of issues. Ask user to restart the user buffer.

Q. How to extract all people numbers for user Ids (HR numbers) in ECC? Not the person number that we see in USR21 table, but the maintained sales representative numbers for CRM users in ECC? A. Please take a look into BUT050 & BUT100 tables, what you mean by HR numbers? Is it PERNR numbers? If it is PERNR then u can find in 1. Table PA0105 and use subtype 0001. 2. In PA20 press F4 and enter the user id in one of the tabs which has ID/username and once your  press enters with the desired user id you will get all the required information along with the  pernr. Q. unexpectedly I locked all the users in client 800,and am unavailable to open to any of the client even with sap*/ddic users( getting ...name or password incorrect).so how could i solve this issue? As am new to sap? A. Use t-code ewz5 and select all users who are unlocked. For Oracle database login to the system with adm user  open command prompt Connect to the database : adm > sqlplus / as sysdba In the command line use the SQL Statement: SQL> delete from .usr02 where bname=‘SAP*’ and MANDT='Client No' (schema=sapsr3) SQL>commit; SQL> exit For unlocking single user  SQL>update SAPSR3.USR02 set UFLAG='00' where BNAME='SAP*' and MANDT='Client  No' For unlocking all users SQL>UPDATE sapsr3.USR02 set UFLAG ='00' where MANDT ='Client no' For SQL Database open MsSql management studio and connect to the database

execute the following query For unlocking single user  update sid.USR02 set UFLAG='00' where BNAME='SAP*' and MANDT='Client No' For unlocking all users UPDATE sid.USR02 set UFLAG ='00' where MANDT ='Client no' Q. when a master role is modified how many tables are affected. What are they? A. For a few change in SAP no’s of table get changed!! But here main table is AGR_1252 which gets entry of org valve maintained in derived role!! But remember that’s not the only table!! Q. How many ways a user can be locked? And also explains how many number of locks used in SAP? A. 32: locked by cua admin 64: locked by system admin 128: locked by incorrect logon. 16: mystery locks 192(not sure): locked due to incorrect logon and then locked by system. You can check the lock entries in USR02. Q. I have a strange situation in BW 7.4 version. I changed below info objects as auth relevant in RSD1 (tried with RSA1 also): 0TCAIPROV, 0TCAVALID, 0TCAACTVT, 0TCAKYFNM and 0SALESORG, after turning them as auth relevant and activating, I created an analysis authorization ZTEST1 in rsecadmin and added these 5 objects with appropriate values. Then saved and activated the AA (BW7.4 version asks to activate the AA). Before this, there was no info object as auth relevant. But 0BI_ALL was still having 4 special info objects (0TCAIPROV, 0TCAVALID, 0TCAACTVT and one more, I forgot the name). That’s alright. Now even after above changes, I can't find any data in rsecval table for ZTEST1 analysis authorization. 0BI_ALL also doesn't show the new auth relevant info objects. I have tried to update authorization for 0BI_ALL in rsecadmin, but with no success. Do any of you know what could  be the issue here? A. U need to use migration tool 2 get all your info objects back...in rsecadmin u will find migration tool in one of the menu drop downs. Q. How to find 500 users validity at a time? A. SU10 > authorization data > user > put all the names there and then execute... it will display a screen, with all details of all users.Usr02 u will get the user id and validity, but via SU10 it will

give you the data like user id, user full name, validity etc., u can see the required details using RSUSR200 program. Q. If a user id has been deleted accidently, then the user prompts with the same user id with same authorizations then how will you further in this regard? A. suim-Change documents-keep the user id and u will get all information for the user id like a log report and create new user id accordingly. Q. what is the procedure for adding custom t-code to role? And what are the things we need to check, please explain briefly? A. 1. Check with the developer if they've put any authority check statements against any auth objects. If they haven't already, ask them to do so.2. Create a dummy pfcg role in unit test client and add the custom t-code to its menu.3. Create a test user id with only this dummy role and request functional team test the custom t-code while u have system trace (st01) turned on.4. Keep updating the dummy role with required authorizations until unit testing is successful.5. Leveraging the required auth objects & values info gathered above; maintain SU24 settings for custom t-code, then add the custom t-code to required pfcg role's menu tab and maintain auth values identified in authorization tab accordingly in dev source client.6. Now you should be good to transport/promote this role forward.

Q. How is the impact on roles when we convert authorization field into organization field? A. You need to update org fields after this change otherwise roles will be inconsistent. Q. if we have any t-code or table to view who has changed the license type in su01? A. Go to Su01-> information-> Change documents for the User. Q. How to move all the users from plant to other plant? A. We extract plant users using SUIM. SUIM - users -users by complex criteria - then we have to give plant object and plant value .once we execute with values will get list of plant users. Q. When a user logs in with the correct password he can log in to SAP system but if by chance he enters a wrong password and then try to log in with the correct password, SAP system is asking to change the password? User is a Dialog user and everything is fine in table USR02? A. check all the parameters regarding incorrect logon. To reset password, there is a timeline set in parameters also for incorrect password logon too. There only the solution will be (as far as I know). Just do some R&D and play with parameters for logon and password, you will get the solution. Q. What is the difference between ST01 and STAUTHTRACE t-code and why STAUTHTRCE in place?

A. STAUTHTRACE can be used for Authorization Trace only, similar similar to check box in ST01 for Authorizations. System wide Trace can be activated without worrying about switching to Server where user is logged in. Most important, Trace output is user friendly, easy to analyze and extract to spreadsheet. Q. When do we create transport requests in production system? A. we never ever create a TR I'm production as we r authorization members. In fact you won't get chance to do as data moving starts from DEV to PRD via Qa. Moreover, PRD system does not have any target systems. Q. Is there a way to to find out what a user did in SAP system on a particular day? A. SM20 is only the audit log. It needs configuration and does capture everything a user did. Stad only captures started transactions, but does not show all actions done within a transaction. You need to compare it with change logs of tables. Depending if table logging is switched on. Q. Why do we need Composite role? Does Composite Role have authorizations? A. Composite role is combination of different single role. By assigning multiples of single roles we can directly assign 1 composite role to the users. We don’t maintain any author’s in composite role. Composite Composite role having single roles and we already already maintained author’s in that single roles. You need some information on this just search in sap.scn.

Q. how to get organization values in composite role? A. Check PRGN_1252_READ_ORG_LEVELS function modules. Q. I would like to know if there is a possibility that authorizations get added to roles when you remove t-code from it... Kindly help me understand why this could happen or what can I check to know from where these "un-wanted" authorizations came in from? A. When u remove t-code from role all relevant su24 auth gets removed. No auth are added. May  be u would have updated the role objects values with su24 values. I mean the values in fields of objects were changed to something than what maintained in su24 su24 and while removing t code from role u would have selected the the option expert mode. So role has got values from from su24. You can sew changed values in pfcg change auth screen. The maintenance status of objects tells u the changes made in values. Q. How to pull report of users who have logged in since 01.01.2015 to 26.03.2015. It’s for not Last Login, I cannot use RSUSR200 or USR02 and don't have authorization for SM19 and SM20. SM20. Need to find find out list of of users users who have have logged into into system system for diffe different rent number of sessions on different dates. For example 1 user may Logged on a day for different sessions? A. Execute ST03N-> Select Date->User and settlement statistics ->User profile

Q. How to know who deleted/added roles to a user in sap? I need to check the activities made to a user. Why the role is gone and who did that? A. SU01 --> Information Information --> --> Change Document Document for users (Provi (Provide de the User ID, from date and end date) and Select the Roles/Profiles. Q. we are done SAP upgrade and the user is having same roles in both systems but they are not able to use SUIM SUIM and it’s throwing "NO AUTH" Error. Could you please advise advise me how to check the notes are implemented or not? A. Go TO ST13 - run report report RSECNOTE RSECNOTE in that tool - after that that u will get total report report of security security notes - and u will able able to check. check. Notes impleme implemented nted or not. not. Q. How to lock the mass users in sap portal? A. Su01 or EWz5 to lock mass mass user/ 1) SAP Net Weaver Weaver Identi Identity ty Managem Management ent offers additio additional nal functions, enabling you to trigger the locking of users automatically and removing all authorizations, say if your HR system changed the users status enabling you to trigger the locking of users automatically and removing all authorizations, say if your HR system changed the users status. 2)you already have list of users-> Create a group->Add this group to all the users->Start identity management and display all users who are members of this group->From the Table selection menu, choose Select All->lock. 3) SU10 ,The problem with EWZ5 is that you have all the background and service users also listed.

Q. Change request management? A. Role modification/creation, user modification, role assignment such as activities will comes under Change management. While creating a ticket, above activities will be created under change management. Q. what is the business workflow of your company? A. Interview question. Q."How to trace background job authorization issues?" A. set the background job to run on a SPECIFIC INSTANCE like "Instance02" in SM51.Put the trace through ST01 in Instance02 for the step USER used in background job/ t-code STAUTHTRACE should suffice your requirement. Q. I've secatt script for the deletion of all a ll roles for mass users. While running the script I'm facing this error "Error in eCATT command TCD SU01 Message no. ECATT507A TT 377 Control data is obsolete, rerecord (VERBS-NAME: GRIDMODIFIED CATT: GETEVENTPARAM Call. no: 000030). Does anyone familiar familiar of this error? error? Or is there any alternate for this?

A. Better try with GUI recording method. And if you are running the query in another system, check the RFC connection, RFC user’s status. Anyhow if your requirement is to remove to multiple roles from multiples users, you can do the easily from SU10 in less than 5 mins efforts. Q. Role changes process? A. By using ccb (change control board) with respective modules in quality system we can change the roles. Q. I need one help, how to find the particular T. code used by user on particular Date, if we don't know date is there any t code to find the above information? information? A. ST03N you can find Expert mode click on Total ---> then click on Transaction Profile ----> click on Standard Profile --->you can find user Profile Just click on that. Q. Where we can add Reference type user id? A. GoTo PFGC select the role for which you want to add the Reference user and select change mode and go to roles tab there you can find Reference user for additional rights then assign the Reference user in that option. Reference user for additional rights rights option available in SU01 not in PFCG. Generally, If the user already have access to 312 profiles but user need additional access then we can give the additional access through the reference user  Q. Can anyone tell me why why Enabler roles will be used in specific organizations? How they are created and why will a client go for those roles creation in SAP? A. Enabler role is nothing but a child role. In the T-code level role, we disable all org level auth objects and maintain these objects in template role (parent role) manually with org values as (' ') and create the child role (Enabler role) and mapped to parent roles with specific org vales as XXxx. Security team will assign both T-code level role and enabler role (XXXX), then user can  perform only for that XXXX Company code activities. Q. We got one request where user has to use use the role only in specific locations, so we created a new role and restricted through org level values. But still user is able to perform all activities in all locations? A. 1. Maintaining Org levels manually doesn't d oesn't work always. 2. If u r manually adding org level makes sure the auth object which will check the org values has a field value blank. 3. Check if that user has some other role with the same auth object maintained with * activity. Q. list out compelling reasons why we it is best practice to disconnect child system from CUA  before we REFRESH Child system - Please mention Possible Impact if this is not done?

A. There 2 reasons 1. Say if 1 PRD system is connected to 5 other PRD systems, then when you do system copy to QAS system, then the QAS system will become parent and the old 5 PRD system will became child system. It's a risk  2. After refreshing child system without removing the connections then it's default to delete the connections. Q. I want to take trace, but user is logging through portal. How to take trace for that user? A. You can use the transaction al08 to see what application server the user is currently logged onto. And after you get that information you can go to the transaction sm50/sm51 to hop into that application server and activate the trace. Q. how to create user in sap if create button is not there? A. If you are creating user in CUA child system then there is no Create button... Q. In ST01, after analysis we does get a log. But, After successful trace (Filters with correct time stamp n all) the log is empty. What can be the reason? A. Just check in which application server user is getting the error and put the trace on the User ID in same application server... u can see list of application server in SM51 as suggested above... log should be generated... if you would have correctly put d trace on the req. id in correct application server and with correct time stamp... never seen such case... will actually have to drill down the issue.. (How d trace and what activity user is doing) I hope so he is doing in ECC only and not in portal.

Q. How to assign reference user to dialog user? A. Go to SU01 -> Give User ID -> Enter into Change Mode -> Go to Roles tab -> you can find a field: "Reference User" -> Enter the Reference User ID & Save. Now, the Reference User is assigned to the Dialog User. Q. what purpose for creating analysis authorization in bi security? A. To access the reports like workbooks and query reports. Q. what is the alternate t-code for su01? A. if the user doesn’t have SU01 t-code still user can perform similar access using all these tcodes OMDL, OMEH, OMWF, OPF0, OTZ1, OY27, OY28, OY29, OY30. Q. How do you check if a Position in Sap has any roles assigned to it?

A. PO13D-->select plan version as current version--->select Relationship info-type--->click on overview button at menu bar..Hope this helps you. (Or) you can also find in table HRP1001 table. Q. what does the text compare on the role tab do in a sap cua environment? A. Text comparison will generate the data of data which is in child systems. All the roles, user data will be stored in cua system so that we can work with the child system data from cua itself.

Q. can we use CUA to execute any report or does it support SUIM? We have 15 systems with 50+ clients and need to fetch user list having SAP_ALL every fortnight!! Client is asking to use CUA? A. you can use CUA for fetching the report. In SUIM you can pull the report through SUIM --> USERS--> Select cross client option on the top. it will fetch you report for all the clients which are connected to CUA. Q. Someone had created no. of roles in system and had not maintained all auth obj in same and generated profiles for them!! When I go in auth tab i can get a lot of unmaintained auth objects!! How can I find the list of roles which have their profiles generated with unmaintained objects? A. Go to SUIM>role with complex selection you can find here. Q. how to check the stack info like ABAP or JAVA or Both? A. ABAP stack level Go to SPAM. For Java Stack you can follow any of these procedures. SM51 - On dual stack systems you'll see J2EE amongst the Message Types (see image below, taken from a Net Weaver PI 7.1 dual stack system). Purely ABAP systems won't have it listed. SM51 on dual stack system: SMICM - Check the list of services in transaction SMICM (menu: Go to --> Services) - dual stack systems will have the J2EE services listed too (look for P4 and IIOP in particular). There will also be an AS Java menu in SMICM on ABAP+Java systems. Profile parameters - ABAP+Java systems will have J2EE-specific parameters in their start/instance profiles (for example, rdisp/j2ee_start).

Q. How to add 100 to 200 t-codes to a role at a time? A. you can directly add T-codes to role menu from PFCG... Use "Insert from clipboard (Shift + F12) " option./You " directly to add t-codes (menu from pfcg... Use the "insert from clipboard ( shift + bring)" show. Q. When I am transporting a role from dev to Quality it profile status is changing to yellow and i re-transported after regenerating the roles? A. SM30 open table PRGN_CUST. Click F4, make entry in the table "transport Generated Role" check default value is YES and save the table then try to transport the role. Q. How would I generate a list of executable t-codes for all users? It would be similar to using SUIM to see executable t-codes for single user but I need a list of all executable t-codes? A. STEP 1: List out all users in SAP using table usr02..... STEP 2: Go in table AGR_USERS to find out all the roles assigned to users in SAP system. You will find out all the roles in system whichever is assigned to any user. STEP 3: go to table AGR_TCODES and copy all the roles which you got in step2. Execute and you will get your result.