SUIM: Change Documents

Posted by itsiti on January 10, 2012 in SAP Basis 0 Comment

You can use this report to determine all changes to the following objects: A user (RSUSR100) A profile (RSUSR101) An authorization (RSUSR102) A role assignment (RSSCD100_PFCG) A role (RSSCD100_PFCG)

Note that changes for users, profiles, and authorizations are divided into two areas: Changes to authorizations: creating the user, changing, adding, or removing profiles Changing header data: password changes, validity, user type, user group, account number, lock status You can select both field to obtain all information. In this case, the left column shows the status before the change the right column the changed entry. You determine the changes for roles and role assignments using a separate interface.

Determine Documents for Users, Profiles, and Authorizations

1. Start the user information system (transaction SUIM). Expand the Change Documents node. Choose the Execute option next to For Users (or For Profiles or For Authorizations). Specify the user (or the profile, or the authorization) and other restricting values, and choose Execute.

2. The result list Lists of Change Documents for Users appears. You can display details for profiles and authorizations by double clicking the appropriate object in the result list.

Determining Documents for Roles and Role Assignments The interface for determining change documents for role assignment is a section of the interface to determine the change documents for roles. 1. Start the user information system (transaction SUIM). Expand the Change Documents node. Choose the Execute option next to For Roles (or For Role Assignments). Enter the required details and then choose Execute.

You can select an individual role or a particular change document with the fields Name of the Role and Change Number of the Document. You can use the fields Changed By and To Date or To Time to further restrict the selection. You can use the button next to Changed By to enter your user name in the input field. You can also choose the following document types under Change Documents, where an additional input field is displayed at the end of the list for some document types: Overview of change documents Creating and deleting roles Role description Single roles in composite roles Transactions in the role menu Other objects in the role menu Authorization data Org. level value

 Authorization profile Attributes MiniApps Composite role home page User assignment

Read more: http://itsiti.com/suim-change-documents#ixzz1wMJkNPes

SUGR: Maintain User Groups

Posted by itsiti on March 25, 2011 in SAP Basis 0 Comment Updated on Jan 10, 2012

Transaction code SUGR is used to create and maintain user groups in SAP system. The user groups commonly used to to categorize user into a common denominator, sort users into logical groups and allow segregation of user maintenance, this is especially useful in a large organization. User groups can categorized as two types, Authorization user group : In conjunction with S_USER_GROUP authorization object. It allows to create security management authorization by user group. e.g. you can have a local security administrator only able to manage users in his groups, Help-Desk to reset password for all users except users in some group. General user group : In conjunction with SUIM and SU10, to select all the users in a specific group. User can only be member of one authorization user group but several general user group.

SM19: Define & Configure Security Audit Log

Posted by itsiti on November 6, 2011 in SAP Basis 0 Comment

To enable the security audit log, you need to define the events that the security audit log should record in filters. You can specify the following information in the filters: User SAP System client Audit class (for example, dialog logon attempts or changes to user master records) Weight of event (for example, critical or important) You can define filters that you save in static profiles in the database or you can define them dynamically for one or more application servers.

1. Select the tab strip for the filter you want to define. Enter the Client and User names in the corresponding fields. Select the corresponding Audit classes for the events you want to audit. Audit events are divided into three categories, critical, important, and non-critical. Select the corresponding categories to audit. Only critical Important and critical All

2. To activate the filter, select the Filter active indicator. You can view the security audit log from transaction code SM20.

Read more: http://itsiti.com/sm19-define-configure-security-audit-log#ixzz1wMM60anw

SM20: Security Audit Logs Analysis

Posted by itsiti on November 6, 2011 in SAP Basis 0 Comment

The Security Audit Log produces an audit analysis report that contains the audited activities. By using the audit analysis report you can analyze events that have occurred and have been recorded on a local server, a remote server, or all of the servers in the SAP System. The audit analysis report produced by the Security Audit Log is designed analog to the System Log, transaction code SM21. 1. To access the Security Audit Log analysis screen, you can use transaction code SM20

Read more: http://itsiti.com/sm20-security-audit-logs-analysis#ixzz1wMMBvAjJ

PFCG: SAP Role Maintainance

Posted by itsiti on February 17, 2011 in SAP Basis 0 Comment Updated on Dec 6, 2011

Transaction code PFCG is a role maintenance administration to manage roles and authorization data. The tool for role maintenance, the Profile Generator automatically creates authorization data based on selected menu functions. These are then presented for fine-tuning. SAP recommend that to use the role maintenance functions and the profile generator (transaction code PFCG) to maintain the roles, authorizations, and profiles. Although we can continue to create profiles manually, we still need detailed knowledge of all SAP authorization components. The role maintenance functions support in performing the task by automating various processes and allowing to be more flexibility in the authorization plan. We can also use the central user administration functions to centrally maintain the roles delivered by SAP or our own, new roles, and to assign the roles to any number of users. The roles, which are based on the organizational plan of your company, form the structure for the Profile Generator. These roles are the connection between the user and the corresponding authorizations. The actual authorizations and profiles are stored in the SAP system as objects. With the roles, we can assign to any users which will be the user menu that is displayed after they log on to the SAP System. Roles also contain the authorizations with which users can access the transactions, reports, Web-based applications, and so on that are contained in the menu.

In the role maintenance, we can also change and assign roles, creating roles, creating composite roles and transport and distributing roles.

Read more: http://itsiti.com/pfcg-sap-role-maintainance#ixzz1wMVGsbpo

Display SAP Roles Information & Details

Posted by itsiti on February 17, 2011 in SAP Basis 0 Comment Updated on Dec 6, 2011

1. Execute transaction code PFCG. At the initial screen, put the roles name and execute. You will be listed with the roles administrator information which is the creator name, the date and time changes and etc. There are also additional information under the menu, workflow, authorization and user tab.

Read more: http://itsiti.com/display-sap-roles-information-details#ixzz1wMVPOSp4

Find Which User is Assigned to This Role in SAP

Posted by itsiti on February 17, 2011 in SAP Basis 0 Comment Updated on Jun 30, 2011

1. You can check which user is currently assigned to a specific role in SAP. Execute the transaction code PFCG. Put the role name and you will be prompted to a new page. Go to user tab, from there you can see all the users that been assigned to the role that you are currently viewing.

Read more: http://itsiti.com/find-which-user-is-assigned-to-this-role-in-sap#ixzz1wMVW5PEs