SAP Authorizations Search for user and password locks - SAP Corner

Direkt zum Seiteninhalt
Search for user and password locks
User & Authorization Management with SIVIS as a Service
Run step 2a (automatic synchronisation with SU22 data). In this step, the data of the transaction SU22 of the new release will be transferred to the transaction SU24. If there is a change or difference in applications (changed check marks, suggestions, field values, or new or deleted authorization objects), the USOB_MOD or TCODE_MOD table of the MOD_TYPE is set to M. With SAP Note 1759777, a selection is offered for step 2a, with which this step can be simulated. Another option, Delete Flags for applications with modified data, is offered to apply the new changes only if Step 2a is executed selectively.

You can translate text blocks in permission roles individually using the SE63 transaction. If you need to translate many roles, there are also automation options that we present here. There are several scenarios in which it becomes interesting to translate the texts of permission roles, for example, if your company is acting internationally. Also, you may have taken over a third party company and the SAP systems used there, or you may want to simplify the SAP system landscape by combining different divisions in one system. In all of these cases, you must standardise or translate the texts of the authorisation roles. For pure translation, you can use the transaction SE63, which we explain in the first section of this tip. In general, however, you will need to translate a large number of role texts in these scenarios; Therefore, in the second section we will explain how you can automate the translation using the LSMW (Legacy System Migration Workbench) transaction and will discuss how to set up a custom ABAP programme.
Object S_BTCH_ADM (batch administration authorization)
However, the permission trace is a long-term trace that you can turn on using the auth/authorisation_trace dynamic profile parameter. This trace is user- and client-independent. In the USOB_AUTHVALTRC table, the trace supplements the permissions checks that were not captured before the application ran. This function can also be used for customer-specific developments. Now, go to the RZ11 transaction, enter the auth/authorisation_trace parameter name in the selection box, and click View. You will now get to the detailed view of the profile parameter with all properties and the link to a documentation. To turn the trace on, click Change Value and a pop-up window will open. Enter "Y" or "F" for filters here if you want to define a filter (see Tip 38, "Use SU22 and SU24 transactions correctly") and save your input. A warning appears informing you that the parameter value would be reset when the application server is launched.

You use Central User Management and wonder why you still need to evaluate the licence data individually in the attached systems. This does not have to be the case, because a central evaluation is possible! There are licence fees for using SAP systems, and you need SAP licence keys. The amount of your licence costs will be determined during the current operation, depending on the number of users and the features used in the SAP software. The survey programme (transaction USMM), the results of which you transmit to SAP, serves this purpose. Not only the number of users is relevant, but also their classification, the so-called user types. You assign these to the user via the transaction SU01 or the transaction SU10 (Licence Data tab). Alternatively, you can let the user inherit the user type of a reference user or classify it via an associated role. This is done by analogy when you use the Central User Administration (ZBV). So far, there has been no central evaluation of the data of all systems connected to the ZBV. Now this has changed, and we'll show you how you can use this analysis.

If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.

The Profile Generator is used to simplify and speed up user administration and should always be used when setting up authorizations for your employees.

You can also find some useful tips from practice on the subject of SAP authorizations on the page

Forgotten passwords and the frequently resulting user locks are unfortunately often lost to the user when access to a system is most needed.
SAP Corner
Zurück zum Seiteninhalt