Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SAP transactions that call SU0 1

Former Member
0 Kudos
579

Hi guys,

I need a help.

We are creating security controls to use the SU01, most have found some transactions may also modify users, exemple as PP01.

Does, anyone have a list of SAP transactions that call SU0 1

Thanks a lot

Martha

1 ACCEPTED SOLUTION

jörg_weichert
Explorer
0 Kudos
370

Hi,

here are some alternatives for SU01:

SU10, SU12, SU01_NAV,

GCE1, OIBB, OMDL, OY22 ... -> search in table TSTCP for parameter /NSU01

cheers

Jörg

Edited by: Jörg Weichert on Mar 29, 2010 9:49 PM Posted to wrong thread.

13 REPLIES 13

jurjen_heeck
Active Contributor
0 Kudos
370

As SU01 is a transaction as well you may want to find the program behind it (table TSTC or tr. SE93) and look for transactions that use the same program.

Bernhard_SAP
Product and Topic Expert
Product and Topic Expert
0 Kudos
370

Hi,

another source is also table tcdcouples. Select SU01 in field CALLED to get a list of t-codes starting SU01 with 'call transaction'.

But the list may not be complete...

b.rgds, Bernhard

0 Kudos
370

Thank you for sharing, Bernhard. That table was news to me ...

... and now I am depressed: DBACOCKPIT is calling SU01? Whatfor? How reliable is the information contained in this table?

0 Kudos
370

You can take a look in the FAQ thread at the entry:

> Note 358122 - Function description of transaction SE97 - Coupled "CALL TRANSACTION" pairs and restrictions.

A where-used-search on function module AUTHORITY_CHECK_TCODE will be usefull as well, as will searching the forum here for discussions about it.

Cheers,

Julius

0 Kudos
370

Thanks for pointing me in the right direction, Julius.

And ... please clap me on the ear, if I ever fail to do my R&D again. Sorry.

I still see no sense in the entry of (for example) DBACOCKPIT and SU01 - this transaction hasn't even the remotest functionality around SU01 (no calls, no includes, no methods, nothing ... I checked) - but obviously this is along the same alley as LT03 and S_BTCH_ADM ...

0 Kudos
370

Can't find anything either for DBACOCKPIT, but I guess it was there at some stage - perhaps way back a while.

There is no harm in the entry being in SE97 though, until you turn the check off inappropriately. Unmaintained but entered is the same as "Check". For the function module I mentioned it does not matter, but for CALL TRANSACTION statements which do not call the function module it does matter as there is no check.

It being impossible to maintain all combinations of all transactions against each other, SAP invented the function module and called it upfront in SU01 and SU01_NAV as well as many other transactions which now use this FM.

Cheers,

Julius

Edited by: Julius Bussche on Mar 25, 2010 3:10 PM

Former Member
0 Kudos
370

> exemple as PP01.

That calls SU01's navigation cousin, and the check is not deactivated. The user of PP01 will not be able to access SU01 if not authorized.

A where-used-list on the BAPI_USER* function modules will be relevant as well.

Rather rely on S_USER_GRP etc authorization objects if functionality is critical for you. It is more reliable to take that approach.

Cheers,

Julius

jörg_weichert
Explorer
0 Kudos
371

Hi,

here are some alternatives for SU01:

SU10, SU12, SU01_NAV,

GCE1, OIBB, OMDL, OY22 ... -> search in table TSTCP for parameter /NSU01

cheers

Jörg

Edited by: Jörg Weichert on Mar 29, 2010 9:49 PM Posted to wrong thread.

0 Kudos
370

Yep, you might want to take a look into tables TFDIR and USOBHASH as well.

If something is critcal for you, you need to control it at object level for the use-case, otherwise it is a "low brainer".

Cheers,

Julius

Edited by: Julius Bussche on Mar 29, 2010 10:48 PM

0 Kudos
370

Hi,

Julius is right you have to control it on the object level, especial when somebody is able to call function modules.

In table TSTCP you have to search for su01 (and su10 etc) otherwise you will miss some transactions, e.g. OOUS .

cheers

Joerg

0 Kudos
370

And once you have exposed them, then it makes sense to audit the systems you trust and not only the "local" one (e.g. SolMan, CUA master, IdM, etc..).

As an alternative, some auditors like to system audit each company locally...

If you secure the security locally in authorizations, then it will make your life easier and system maintenance costs lower in the long run, as well as auditing.

Cheers,

Julius

0 Kudos
370

It is someone elses post and a ongoing discssion is already going. Pardon my sudden intrusion. But I was surprised by so many transaction with same functionality like SU01. Even same screen. Why???

0 Kudos
370

Julius,

Thanks very much, for you help.

I aprecciate and using your help )

Martha