topic Re: Finding Authorization Objects and values for a given user in Application Development and Automation Discussions

Finding Authorization Objects and values for a given user

Former Member — Thu, 20 Jul 2006 21:03:41 GMT

We currently are in the process of removing SAP_ALL/SAP_NEW access from a few of our communication ids. Our Security team is asking us to come up with a list of the authorization objects and their values that the id is hitting in each system. We do not want to use tracing, such as ST01, for this because it is very resource intensive. We also have a list of all the programs that the id is running as well. Could you please suggest ways to gather this information?

Cheers,

Sarah

Re: Finding Authorization Objects and values for a given user

Former Member — Thu, 20 Jul 2006 22:22:31 GMT

Hi Sarah,

I have done this at a few clients. The following are some of the steps I have taken. Also we do set the trace on the harder to find items and really have not noticed a system drain.

1. I use SE80 to search the program code for auth calls. You can do a search on auth.

2. If your programs are calling and BDC sessions then the transaction code run in the BDC session and the related auth objects will be needed.

3. Once you have done the first two then you can set up a test ID and have the user invoke the programs by using SA38 and see if it hits any auth errors this way.

4. What I would also do before doing number 3 is set up a trace for the day and compare it to what I have found. Just need to be cautious when doing traces on an SAP_ALL ID because it will hit on optional auths that you may not really need.

If I think of anything else I will let you know but I have been real successfully in preventing the need for SAP_ALL in communication IDs

Oh most truely communication IDs will need auths such as S_RFC.

Re: Finding Authorization Objects and values for a given user

Former Member — Fri, 21 Jul 2006 08:35:35 GMT

The s_rfc authorizations and values it hits AND also requires will depend on the setting of your parameter auth/rfc_authority_check and whether you are using trusted RFC, in which case the check is suppressed in some cases.

You can (without performance problems) trace the incoming successfull RFC calls via the security audit log (SM19).

In higher releases you can also trace the call transactions committed via SM20 (communication ID's do not realy need any s_tcode but would typically need authorizations for the objects the tcode checks).

If you have lots of time, you can check which function module within the funtion groups was called and from where it came by checking the RFC profiles in ST03N.

If the ID's are performing submit statements then you will also find these programs listed in transaction STAT for about a day or so after they were submitted.

If the ID's are calling routines on the operating system or datasets in the file system then the documentation in SU21 -> S_DATASET / S_PATH / S_C_FUNCT / S_LOG_COM might also be worth visiting.

I also agree with Mary, that a code review and some negative testing is what you would ultimatly like to be doing.

Re: Finding Authorization Objects and values for a given user

Former Member — Thu, 27 Jul 2006 21:55:25 GMT

also check whether you got any predefined profiles

for example

If you are planning to give access to a communication

between R/3 and BW

S_BI-WHM_RFC

S_BI-WX_RFC

and sometimes I try to assign the roles whatever the dialog user well enough to deal with issue and add S_RFC,etc

Obviously what Mary said are to be followed if you want to restrict very well.

nandan