Solved: Report for Roles / Authorizations for users

Former Member · ‎2010 Jul 01

Is there a transaction / report / table from which we could analyse the number of roles and the number of authorizations in the user buffer for a group of users?

I would like to check the number of users who have more than say, 100 roles or who have more than 5000 authorizations.

AGR_USERS would give the number of roles but not the count and SU56 would have to be done per user. I was looking for a global check (if we have one)

Bernhard_SAP · ‎2010 Jul 01

Hi,

number of assigned authroizations can be achieved quite easy by checking table USRBF2 (=SU56 result).

b.rgds, Bernhard

Bernhard_SAP · ‎2010 Jul 01

Hi,

number of assigned authroizations can be achieved quite easy by checking table USRBF2 (=SU56 result).

b.rgds, Bernhard

Former Member · ‎2010 Jul 01

Thanks Bernard, i like what the table shows but i was looking at a option where i could check on >= 5000 authorizations, else everytime we need to make a check, we would have to download the table and work in Excel

Bernhard_SAP · ‎2010 Jul 01

... how about a short abap with a select on that table counting lines and exporting users with more than 5000 lines???

b.rgds, Bernhard

Former Member · ‎2010 Jul 01

hmmmmm........thats an option i did think of, but i was looking if there was somethign "standard" , even if it is something that can be derived by parsing values through multiple tables

Former Member · ‎2010 Jul 01

How many users do you have? You could dump AGR_USERS into Excel and create a pivot table to give you counts for users.

Alternatively someone with basic Access skills should be able to create a report that has a count per userID

Former Member · ‎2010 Jul 01

Hi Alex,

the problem is not with the number of users in the system, the issue is in the frequency of the job.......off late there have been quite demanding needs for various cross-country authorizations and the level of the required authorizations are as diverse as the countries itself........i want to make sure that users are not getting blocked due to the double whammy (roles > 312 and the profile parameter value defined)

its a real pain if we have to do it in excel everytime we have to make a check

Former Member · ‎2010 Jul 02

OK, I understand, I thought it may be a "one-off" exercise. It sounds a familiar situation

I think I would go along the lines of Bernhard's approach and get a small prog developed. Maybe schedule it daily and emailed straight to those responsible for the role mapping....

Former Member · ‎2010 Jul 02

Shekar,

I often use transaction su56. There you can find the user buffer from the user (see the i think third button on top left) you want and look for the authorization object you need or get an overview from all. In the profile is the exact content that will be in the user buffer. double click on the profile and/or the role and you find the values.

If you have to many roles, I suggest you make a sub set to find out. One of the urs tables(urs04?? ) has a number of profiles, this may not be above about 3100. There is an Oss note for this.

You can also review table entry counts for specific user accounts via SE16 or SE17 against UST04.

Thanks,

Sri

Former Member · ‎2010 Jul 02

>

> Shekar,

>

> I often use transaction su56. There you can find the user buffer from the user (see the i think third button on top left) you want and look for the authorization object you need or get an overview from all. In the profile is the exact content that will be in the user buffer. double click on the profile and/or the role and you find the values.

usage of SU56 was never under question

> If you have to many roles, I suggest you make a sub set to find out. One of the urs tables(urs04?? ) has a number of profiles, this may not be above about 3100. There is an Oss note for this.

This comment made some interesting search results for me. When i check my own authorizations i see i have 784 authorizations shown in SU56, fromAGR_users i see that i have 33 roles and the no.of profiles and authorizations shown in USR04 is 384...........i am wondering on this value in USR04. I read some OSS notes and my understanding says that the values in USR04 is for the number of profiles a user can have in his authorizations and if a particular note 841612 is not applied the system terminates the value at 300 even if the user has 312 in his permitted authorizations........so far so good to read, but this makes me wonder on why it shows 384 in my no.of profiles

Former Member · ‎2010 Jul 04

> ... and SU56 would have to be done per user. I was looking for a global check (if we have one)

Here is the catch...

For the user to run their own SU56 to analyze their buffer, they must have logged on! If the user has been assigned all of the 312 profiles available but not logged on yet, then potentially there is a problem waiting for you... ~~but the buffer will not be loaded and you will not spot it~~ This is not necessarily correct since release 6.20, but anyway could give incorrect results.

I am not aware of any standard tool to analyze this, except for the checks which SU01 etc performs before assigning roles - which might be a possible solution for you: Define a "limit" for the number of profiles (N) which a user can be assigned before a "warning" should be sent. Then schedule a job which simulates the assignment of N profiles to the user(s) with the most current profiles assigned and check to see whether 1 = 0...

* <<< note 841612
  CALL FUNCTION 'SUSR_USER_PROFS_BUFFER_SAVECHK'
    EXPORTING
      username         = user_name
      use_message_type = lc_error
    CHANGING
      return         = lt_return.

  LOOP AT lt_return INTO ld_return.
*   possible messages:
*   limit of profiles at user &1 exceeded
    IF 1 = 0. MESSAGE e263(01) WITH ld_return-message_v1. ENDIF.

The real limit is in USR04, but you can use UST04 with greater ease to find the number. I would concentrate on that and not worry about the number of authorizations themselves at user-assignment-time. Rather do that to some extent while designing and building the roles for the number of users - though again here I would suggest giving preference to making the role(s) easy to assign to the function and not any speculative limit to the number of authorizations which a user should have in total, or per object.

Cheers,

Julius

Edited by: Julius Bussche on Jul 4, 2010 10:55 AM

Not necessarily correct statement commented out.

Frank_Buchholz · ‎2010 Jul 07

>


> > ... The real limit is in USR04, but you can use UST04 with greater ease to find the number. ...

UST04 gives the profile names, too, but you have to count the entries per user. On the other hand, USR04 gives the count directly after a small calculation:

The count of assigned profiles is ( USR04-NPRO - 2 ) / 12

Example: Searching for NPRO > 3002 in SE16 produces the list of user having more than 250 profile assignments.

Kind regards

Frank Buchholz

Former Member · ‎2010 Jul 07

Hi Bernard,

thanks for the logic, but I am uanble to interpret the different data from AGR_USERS, USR04 and SU56

For a user X the AGR_USERS table shows 82 roles

USR04 shows 1022 authorizations, using the logic you mentioned ((USR04-NPRO)-2)/12 gives me 85 (which is not consistent with AGR_USERS, but this i can still digest because there could be a few roles that have more than one profile generated.....so far so good even if my self-conviincing logic is wrong

But strangely when i check for the same user X in SU56 it shows 2691 authorizations, which is way beyond what is shown in USR04

Former Member · ‎2010 Jul 07

Hi Frank,

Indeed the USR04-NPRO formula is much easier and ergonomic - once known

Many thanks for sharing!

Cheers,

Julius

Former Member · ‎2010 Jul 07

> SU56 it shows 2691 authorizations, which is way beyond what is shown in USR04

SU56 is authorizations.

USR04 is profiles.

It's like jelly fish and oceans..

Cheers,

Julius

Frank_Buchholz · ‎2010 Jul 07

AGR_USERS shows the role assignment.

USR04 / UST04 shows the profile assignments. Roles could have 0, 1 ore more generated profiles; there might exist additional manual profile assignments -> the counts will differ a little bit.

USRBF2 / SU56 shows the authorization assignments. Manual profiles and generated profiles contain a lot of authorizations -> the count is much higher.

There exist only a limitation concerning table USR04 which restrict the count of assigned profiles to max. 312. All other assignments are not limited (assuming that you do not create profiles manually anymore).

Kind regards

Frank

Former Member · ‎2010 Jul 07

thanks a lot for sorting out the confusion in my head

By Category

Related Content

Activity Groups

Industry Groups

Influence and Feedback Groups

Interest Groups

Location Groups

Customer Only Groups

Forums

Related Resources

Products

Learning and Support

About

My SAP Profile

My SAP Profile

Report for Roles / Authorizations for users