Question: We're trying to restrict rights to release transports (DTRA); one role has most activities for S_TRANSPRT but not 43 (release). However, one user with this role managed to release a transport. The same role has S_CTS_ADMI with activity * (all activities); is this effectively "overriding" the restrictions in S_TRANSPRT ?

Can't find any info on this elsewhere... tried SAP, SDN...

thanx...

Answer:
look into Su24 and Su21 and from there into the documentation, this will give the requested info

Answer:
The SAP documentation is (as often is the case) very opaque, to say the least. I think we have a decent idea of the relation between these objects, even though we haven't found a clear, logically structured explanation on exactly what are the limitations and interoperability of the two objects. Probably never will...

Answer:
Tronds,

I guess the generic problem here is that values were granted
for the activity field based on the principle "ALL - except (43)".
I advocate the 'need-to-have'.

Check whether activity 75 is in. This allows you to release
other users' objects.

Question: Does anyone know the name of the report or how to find no standard Values such as ranges or * in the S_Tcode object. I think there is an SAP report but don't remember what it is.


Answer:
Look at report PFCG_AGRS_WITH_MANUAL_S_TCODE

Also use table AGR_TCODES and look for '*' by setting the selection option to "equals to" rather than blind entry of '*'

Question: I need to be able to find all roles that have have a TCD value in S_TCODE of *.

How can I do that? Suim's logic seems to give all roles. I need the specific value to be a '*'.

Thanks for your help.

Answer:
Hi bluedevil,
I usually use SE16 on AGR_1251 table to get what you are looking for...

be sure about to use '=' single value selection option,
instead of '[*]' pattern selection option, in the tcode field.

hope this helps, regards.

Question: Is there a SAP role for SAP auditor (internal control)? Is there a role to view the Implementation Guide customizing settings?

Answer:
Is there a SAP role for SAP auditor (internal control)? Is there a role to view the Implementation Guide customizing settings?

If you are still looking for the SAP delivered roles like S:A_SHOW etc, then rather go back to doing your accounting on paper.

Question: Hi...

I am about to administrate users and roles on a SAP system. Previously I was always given SAP_ALL, but this time I wanted more adequate access rights. I therefore requested the profile S_USER_ALL (All Authorizations for user and authorization maintenance).

But... only to find out that it did not include any value for TDC (transaction code) or the authorization object S_USER_VAL (which gives access to change values in PFCG).

Anybody with experience in this ares

What profiles/roles are you guys using for user/role administration

Thanks for any reply


Answer:
Requirements will depend on your segregation of duties for user and role/profile adminsitration.

We developed our own and did not depend on the SAP provided Roles.

Assign your self SAP_ALL in a test client, set up a trace and run through your actions to see what auths and values you need.

Question: If there is a message in SU53 saying "T-DV76526201 Exists in user buffer" for the role T-DV76526201, and then below I would find the list of the transaction codes affected, does that mean that there was an error or is it just an informational message?

Are all messages appearing in SU53 just error messages or even infomational messages?

Answer:
SU53 records the last authorisation failure for a user. The first block shows the system's authorisation requirement and the list below shows the authorisations present for that object for a particular user.

Answer:
I have seen the message you are talking about. The SU53 actually states something about an authorization existing in the user buffer but it still fails. I have found this is a throwback to pre-4.5 where the user must log off and back on again and it will usually work then. give it a shot.

Authorizations

1. Program code that calls an authorization check using the authority-check statement. This will look something like:

   authority-check object id field

2. Authorization fields (corresponding to the in the above code) that define a scope of possible values. Examples of authorization fields would be:

   ACTIVITY: defines the type of activity the user is doing with the data. Possible values are 'DISPLAY', 'MODIFY', 'DELETE', etc.

   
   

   COMPANY_CODE: possible values are any single value, or any range of values, or any combination thereof (such as '0438' and '0600' thru '1100')

3. Authorization objects that define a group of fields. For example, an authorization object called 'CO_MDATA', containing our above fields ACTIVITY and COMPANY_CODE, might used to control access to the company master data tables.

4. Authorizations, each of which belong to exactly one authorization object, that define authorization values (within the scopes defined by the authorization objects) to be granted to users. Note that an authorization is different from an authorization object!! Extending our previous examples, we might have an authorization, belonging to the authorization object 'CO_MDATA', called 'CO_MDATA_ALL', that grants all access to all company master data. Then 'CO_MDATA_ALL' would have the following values:

   FIELD	VALUE
   ACTIVITY	*
   COMPANY_CODE	*

5. Profiles, each of which may contain several authorizations or profiles. A simple profile contains a group of authorizations. A composite profile contains a group of profiles (simple or composite). [Profiles can be conceptualized as forming the structure of a tree, in which end nodes (leaves) are authorizations, and all other nodes are profiles. Simple profiles are nodes whose children are all end nodes, and composite profiles are nodes, other than end nodes, who have no end nodes for children.]

   Profiles are designed to define set or one or more functions or positions. For example, a functional profile might define all the authorizations that are required for doing a goods receipt, or for making a payment in the AP module. A position profile, on the other hand, might define all of the authorizations that are granted to an accountant, or to a warehouse supervisor. Often, a position profile is a composite profile consisting of several functional profiles.

6. Users, to whom profiles are assigned. A user is assigned one or more profiles by the system administrator. These profiles define all of the user's system authorizations.