2007 Dec 17 11:55 AM
Hi,
1.IF I need to know All Activities --All the tcodes excecuted by a usr for a particular period of time, how can this be achieved ?
2.What roles can we substitute SAP_ALL with ?
Thanks
-UK
2007 Dec 17 12:10 PM
Hi
1. Use the search for the keywords ST03N and Security Audit Log
2. Build roles using PFCG to give the access that the users require. Without knowing exactly what they need to do, it's rather hard to make any recommendations.
2007 Dec 17 5:00 PM
Alex,
To add further..since here the task is to segregate the authorization of the SAP_ALL , all the same include the activites thats normally needed to run the corporation ( Like a catch 22 !!) does the following make sense:
1. Include all the BC_A,BC_B & BC_C classes and give a fire fighter role.
Yes I understand that this is a purely a design question but certain building blocks need to be the same as
Thoughts ?
Thanks
2007 Dec 17 5:54 PM
Hi George,
Creating a generic high power Basis role with the contents of BC object classes (and a few others) is a common way to create a Basis role, in this instance the original poster didn't tell us what roles that the users with SAP_ALL are performing which makes it impossible to recommend what replacements to give them.
One "gotcha" with this approach is that usually S_TCODE=* or has wide ranges. In the case of the Basis role they usually have all the S_ objects with * values and this can give them the ability to bypass the security that is in place. To secure it you need to know what all of the objects do and to maintain them as appropriate to meet your control requirements.
2007 Dec 21 10:56 AM
Tcode excuted for a period of time:
1.you can perform auditing using SM18, SM19, SM20.
2.ST03N
3. The information is available for configurable time periods using transaction ST05N but it is not organized to readily provide a report of users and transactions. Also the information available summarizes a user's use of a transaction. There will be one entry (with count data) per user per time period. Daily, weekly and monthly summaries can be created and they are stored for configurable durations.
The information is summarized into a cluster table called MONI based on the STAT files that are written in the file system and regularly refreshed. MONI cannot be queried via SE16 etc., but SAP delivers a number of function modules that retrieve data from these tables.
It is also possible to configure audit logging via SM19 and read the log files via SM20. This will provide more detail but it also introduces new file management issues and requires a change to system settings.
Substitute SAPALL:_
You can copy SAP_ALL through, SU02 -> utilities -> copy
And use this as substitute and assign with required modifications to it to the users.