Start of Content Area

Procedure documentation With Critical Authorizations (New Version, RSUSR008_009_NEW)  Locate the document in its SAP Library structure

Use

This report replaces the reports RSUSR008 and RSUSR009 and offers the following improvements:

        Differentiation between SAP defaults for critical data for different business areas. Previously, you could only use and change defaults collectively.

        Extended combination options for critical authorization data

        Improved performance

        Filter for the users to be displayed

        More analysis options for users in the result list

        Improved user-friendliness

You can either start the report using transaction SA38 or in the User Information System (transaction SUIM) by choosing Users With Critical Authorizations (New Version).

The report is provided as of SAP Web AS 6.20 with the following Support Packages:

        SAP Web AS 6.20, as of SAPKB62039

        SAP Web AS 6.40, as of SAPKB64003

You can continue to use the old programs RSUSR008 and RSUSR009 until SAP Web AS 6.40. The new report is delivered with the old SAP defaults for critical authorization data, which were already used for RSUSR009. The data is combined in the variant SAP_RSUSR009.

Analyzing Users with Critical Authorizations

With the following procedure, you first define critical authorizations and the associated authorization data. You then combine the critical authorizations into a variant with which you then perform the evaluation.

...

       1.      To maintain critical authorizations, choose Critical Authorizations on the initial screen.

A dialog box appears that displays four folders, which form two hierarchies:

        Variants for Critical Authorizations Crit. Authorizations

        Crit. Authorizations Authorization Data

The Critical Authorizations folder consists of the IDs of critical authorizations. Each ID contains a list with critical data. The Ids are used to define report variants.

       2.      In change mode, open the Crit. Authorization folder in the lower hierarchy by double-clicking it, and choose New Entries.

       3.      Specify the following data in the table control:

        The name of the ID in accordance with the naming convention (customer namespace)

        A text

        The color in the result list

        The transaction code, if required

       4.      Save your entries.

       5.      To maintain the authorization data, select the entry that you have just created and open the Authorization Data folder by double-clicking it.

A new view appears.

                            a.      Choose New Entries.

                            b.      Fill out all required fields, which are identified with an asterisk (*).

Note the following when filling out the fields:

         All entries within a group must have the same operand AND or OR. The individual groups are essentially linked with AND. An OR link is not possible.

         You can specify critical data for different authorization objects within the same group.

         If you specify a transaction code for an ID, all authorization data required to execute the transaction and maintained in transaction SE93 is automatically entered as critical data, after you have confirmed and saved the dialog box.

         If you leave the From field empty, the program searches for authorizations with spaces for the specified field and object. If you enter an asterisk (*) in the From field, the report searches for full authorization for the specified field. (See SAP Notes 216557 and 674212)

                            c.      Save your entries.

       6.      Create a variant.

                            a.      Open the folder Variants for Critical Authorizationsby double-clicking it, and then choose New Entries.

                            b.      Enter the name and description of the variant.

                            c.      Save your entries.

       7.      Assign the IDs of critical authorizations to the variant that you have just created.

                            a.      Select the variant and choose the Critical Authorizations folder under the Variants for Critical Authorization folder by double-clicking it.

                            b.      Choose New Entries.

                            c.      Use the input help to choose existing IDs.

                            d.      Save your entries.

       8.      Execute the report variant with critical authorizations.

                            a.      On the initial screen of the report, choose the option For Critical Authorizations under Name of the Variant

                            b.      Use the input help to select an existing variant, and choose Execute.

The users identified for each ID are displayed by the program in the result list.

Analyzing Users with Critical Combinations of Authorizations

You can use the report RSUSR008_009_NEW to combine the IDs for critical authorizations in any way, and to create variants with these combinations.

...

       1.      To maintain critical combinations, choose Critical Combinations on the initial screen.

A dialog box appears that displays four folders in two hierarchies:

        Variants for Critical Combinations of Authorizations Combination

        Combination Critical Authorization

You specify IDs of critical authorizations that you have maintained in accordance with the procedure above, and now want to combine with each other in the in the Combination folder. A variant consists of a list of critical combinations.

       2.      In change mode, open the Combination folder in the lower hierarchy by double-clicking it, and choose New Entries.

                            a.      Specify the following data in the table control:

         The name

         The color for the result list

         The description of the combination

                            b.      Save your entries.

       3.      Assign the IDs of critical authorizations to the combination.

                            a.      Select the combination and open the Critical Authorizationfolder by double-clicking it.

                            b.      Choose New Entries.

                            c.      Use the input help to select IDs of critical authorizations.

                            d.      Save your entries.

Note

The selected IDs are essentially linked with AND. An OR link is not possible.

       4.      Create a variant.

                            a.      Open the folder Variants for Critical Combinations of Authorizations by double-clicking it, and then choose New Entries.

                            b.      Specify the name and description of the variant in accordance with the namespace convention.

                            c.      Save your entries.

       5.      Assign critical combinations to the variant.

                            a.      Select the variant and choose the Combination  folder under the Variants for Critical Combinations of Authorizations folder by double-clicking it.

                            b.      Choose New Entries.

                            c.      Use the input help to choose existing combinations.

                            d.      Save your entries.

       6.      Execute the report variant with critical combinations.

                            a.      On the initial screen of the report, choose the option For Critical Combinations under Name of the Variant

                            b.      Use the input help to choose an existing variant.

                            c.      Choose Execute.

The result list displays the users for each combination within the selected variant.

Additional Selection Criteria

You can use the group Selection Criteria for Users to define additional properties that the users to be displayed must fulfill. This makes analysis quicker and more flexible.

Note that the User Group field relates to entries in the field User Group for Authorization Check on the Logon Data tab page of user maintenance (transaction SU01), while entries in the field User Group (General)evaluate the data specified on the Groups tab page of user maintenance (transaction SU01).

You can use the indicator Display Only Valid Users to restrict the display to users whose validity period covers the date of the report execution.

Evaluation of the Result List

The result lists are different, depending on the type of the selection variant:

        For Critical Authorizations

The selected users are grouped by the IDs of critical authorizations. To check which critical data is represented by an ID, click on the name of the ID. To analyze the authorization data of a user master record, select the user by double-clicking it. The other fields provide additional information about the user.

You can use the Profiles and Roles buttons to display lists of profiles and roles assigned to the selected users.

All other functions are standard functions of the ALV Grid Control.

        For Critical Combinations

The selected users are grouped by critical combinations. If you select a combination name, the corresponding critical data is displayed.

The other functions correspond to those for critical authorizations.

Examples of Using Critical Authorizations and Combinations

Example 1

You determine all users that have development authorization for either executable programs (reports) or function groups.

For a user to be able to develop, he or she requires the following authorizations:

        Authorization for the object S_TCODE that contains at least one of the transaction SE80, SE37, or SE38

        An authorization for the object S_DEVELOP with the value PROG or FUGR in the OBJTYPE field and the value 02 in the ACTVT field

The ID to be created with critical authorization data therefore contains three groups, for each of which the values are each linked with OR.

ID Example 1

Group

Object*

Field Name

From

To

AND/OR*

A001

S_TCODE

TDC

SE80

 

OR

A001

S_TCODE

TDC

SE37

 

OR

A001

S_TCODE

TDC

SE38

 

OR

A002

S_DEVELOP

OBJTYPE

PROG

 

OR

A002

S_DEVELOP

OBJTYPE

FUGR

 

OR

A003

S_DEVELOP

ACTVT

02

 

any (OR or AND)

 

Example 2

In a modification of the first example, you now determine users that have development authorization both for executable programs and for function groups. To do this, split the ID of the first example into two individual IDs and create a combination of these two IDs:

ID 1

Group

Object*

Field Name

From

To

AND/OR

A001

S_TCODE

TCD

SE80

 

OR

A001

S_TCODE

TCD

SE38

 

OR

A002

S_DEVELOP

OBJTYPE

PROG

 

AND

A002

S_DEVELOP

ACTVT

02

 

AND

and

ID 2

Group

Object*

Field Name

From

To

AND/OR

A001

S_TCODE

TCD

SE80

 

OR

A001

S_TCODE

TCD

SE37

 

OR

A002

S_DEVELOP

OBJTYPE

FUGR

 

AND

A002

S_DEVELOP

ACTVT

02

 

AND

 

 

End of Content Area