Friday, 24 June 2011

HOW TO CHECK LIST OF USER FROM TABLE USB02

  1. In MS SQL Server Management studio
  2. Execute SELECT BNAME FROM hrs.USR02 WHERE MANDT='310';

SAP SECURITY AUTHORIZATION - Display Change Documents for Role Administration

There is a short cut (running program RSSCD100_pfcg) which you can used to check user's change document.

Thursday, 23 June 2011

SAP SECURITY INTERVIEW - Reset password for multiple users

Create a SECATT script for mass user password change

Tuesday, 21 June 2011

SAP SECURITY AUTHORIZATION - SU21 object cannot be edit


Problem adding auth field to auth object (SU21)

When I try to add the field in transaction SU21, I get the message that this is not possible because the object is used in several roles:



  1. You will have to remove the object from all the existing roles
  2. Then SU21 to amend fields from object
  3. Now re-add back the object into existing roles

Monday, 20 June 2011

SAP SECURITY INTERVIEW - How many Single roles can be added in one Composite role ?

Unlimited but bear  in  mind that SAP only allows 312 max profile. So generally is you add more then 312 single roles, user will hit max profile issue.

Sunday, 12 June 2011

SAP SECURITY INTERVIEW - Should RFC users have SAP_NEW and why?

Like all users RFC users should get SAP_NEW right after an upgrade. However, you assign SAP_NEW only for the short time until you have finished the task to copy the authorizations of SAP_NEW into the roles which are assigned to your users. In case of RFC users it might be the case that a new version of the corresponding role for the RFC user has been delivered by SAP. Check the release notes to get notice about changes like this. 

Saturday, 11 June 2011

SAP SECURITY INTERVIEW - User have tcode SA38. How to restrict user to execute only report rsusr003.

Use SE93 to create customize tcode:  a) via 'transaction with value' where we use SA38 screen as inheritance. We have option to hide SA38 screen to avoid user running other program. b) via 'transaction with value' where we use START_REPORT to call program it self.  Or you can change the following object in the role  with tcode SE38 and in authorization object S_DEVELOP the  activities DEVCLASS '*'            OBTYPE '*'            OBNAME  ' RSUSR003'            p_group '*'            activity '03'

Tuesday, 7 June 2011

SAP SECURITY INTERVIEW - What is the difference between SU24 and SU22? What is "orginal data" in SU22 context?

SU22 is used by SAP to create authorization proposals. SU24 is used by customers to adjust these authorization proposals from SAP.

How many authorizations fit into a profile?

A maximum of 150 authorization fit into a profile. If the number of authorizations exceed this marker, the Profile Generator will automatically create more profiles for the role. A profile name consists of twelve (12) characters and the first ten (10) may be changed when generated for the first time

Thursday, 2 June 2011

SAP SECURITY INTERVIEW - How do you force a user to change their password and on which grounds would you do so?

Using the profile parameter login/password_compliance_to_current_policy you force users to change their password to match the password policy. Setting the profile parameter login/password_expiration_time temporarly to a short period forces password changes, too