2010 Mar 25 9:24 AM
Hi guys,
I need a help.
We are creating security controls to use the SU01, most have found some transactions may also modify users, exemple as PP01.
Does, anyone have a list of SAP transactions that call SU0 1
Thanks a lot
Martha
2010 Mar 29 8:15 PM
Hi,
here are some alternatives for SU01:
SU10, SU12, SU01_NAV,
GCE1, OIBB, OMDL, OY22 ... -> search in table TSTCP for parameter /NSU01
cheers
Jörg
Edited by: Jörg Weichert on Mar 29, 2010 9:49 PM Posted to wrong thread.
2010 Mar 25 9:33 AM
As SU01 is a transaction as well you may want to find the program behind it (table TSTC or tr. SE93) and look for transactions that use the same program.
2010 Mar 25 9:55 AM
Hi,
another source is also table tcdcouples. Select SU01 in field CALLED to get a list of t-codes starting SU01 with 'call transaction'.
But the list may not be complete...
b.rgds, Bernhard
2010 Mar 25 10:54 AM
Thank you for sharing, Bernhard. That table was news to me ...
... and now I am depressed: DBACOCKPIT is calling SU01? Whatfor? How reliable is the information contained in this table?
2010 Mar 25 12:26 PM
You can take a look in the FAQ thread at the entry:
> Note 358122 - Function description of transaction SE97 - Coupled "CALL TRANSACTION" pairs and restrictions.
A where-used-search on function module AUTHORITY_CHECK_TCODE will be usefull as well, as will searching the forum here for discussions about it.
Cheers,
Julius
2010 Mar 25 1:03 PM
Thanks for pointing me in the right direction, Julius.
And ... please clap me on the ear, if I ever fail to do my R&D again. Sorry.
I still see no sense in the entry of (for example) DBACOCKPIT and SU01 - this transaction hasn't even the remotest functionality around SU01 (no calls, no includes, no methods, nothing ... I checked) - but obviously this is along the same alley as LT03 and S_BTCH_ADM ...
2010 Mar 25 1:46 PM
Can't find anything either for DBACOCKPIT, but I guess it was there at some stage - perhaps way back a while.
There is no harm in the entry being in SE97 though, until you turn the check off inappropriately. Unmaintained but entered is the same as "Check". For the function module I mentioned it does not matter, but for CALL TRANSACTION statements which do not call the function module it does matter as there is no check.
It being impossible to maintain all combinations of all transactions against each other, SAP invented the function module and called it upfront in SU01 and SU01_NAV as well as many other transactions which now use this FM.
Cheers,
Julius
Edited by: Julius Bussche on Mar 25, 2010 3:10 PM
2010 Mar 25 12:28 PM
> exemple as PP01.
That calls SU01's navigation cousin, and the check is not deactivated. The user of PP01 will not be able to access SU01 if not authorized.
A where-used-list on the BAPI_USER* function modules will be relevant as well.
Rather rely on S_USER_GRP etc authorization objects if functionality is critical for you. It is more reliable to take that approach.
Cheers,
Julius
2010 Mar 29 8:15 PM
Hi,
here are some alternatives for SU01:
SU10, SU12, SU01_NAV,
GCE1, OIBB, OMDL, OY22 ... -> search in table TSTCP for parameter /NSU01
cheers
Jörg
Edited by: Jörg Weichert on Mar 29, 2010 9:49 PM Posted to wrong thread.
2010 Mar 29 9:48 PM
Yep, you might want to take a look into tables TFDIR and USOBHASH as well.
If something is critcal for you, you need to control it at object level for the use-case, otherwise it is a "low brainer".
Cheers,
Julius
Edited by: Julius Bussche on Mar 29, 2010 10:48 PM
2010 Mar 29 10:02 PM
Hi,
Julius is right you have to control it on the object level, especial when somebody is able to call function modules.
In table TSTCP you have to search for su01 (and su10 etc) otherwise you will miss some transactions, e.g. OOUS .
cheers
Joerg
2010 Mar 29 10:11 PM
And once you have exposed them, then it makes sense to audit the systems you trust and not only the "local" one (e.g. SolMan, CUA master, IdM, etc..).
As an alternative, some auditors like to system audit each company locally...
If you secure the security locally in authorizations, then it will make your life easier and system maintenance costs lower in the long run, as well as auditing.
Cheers,
Julius
2010 Mar 30 5:00 AM
It is someone elses post and a ongoing discssion is already going. Pardon my sudden intrusion. But I was surprised by so many transaction with same functionality like SU01. Even same screen. Why???
2010 Mar 31 9:37 AM
Julius,
Thanks very much, for you help.
I aprecciate and using your help )
Martha