Question:
At times I need to make a copy of a user account so I can log in as them. I go to su01 and make a copy of user A. When I log in as the copied account of user A, the authorizations are not copying over. I can not access any of the transactions the original user could. After saving the copied user account again, everything seems to work.
Im on 4.6b, any help would be great.
Answer:
I think we have all experienced this. It sometimes takes a couple of minutes for the tables to finish synching I think. Sometimes just using the User Master Compare button for the user id's role will take care of it.
I used to tell people whom I had recreated to wait two minutes before they log in and that seem to lessen the chance of the no authorization phenomenon. It is all part of the synchronization issue discussed on this form many times, and documented in SAP notes about user buffers and which tables are being used.
_________________
Gary Morris
SAP Security Analyst/Developer
garymorris@sapsecurity.net
Answer:
Gary,
I have experience the time delay issue also. I waited about 5 minutes before logging into the account to test and had no authorizations as discussed.
Apologies, I forgot to mention that.
Answer:
Out of curiosity are you creating this account on a mulitple application server machine? Sometimes when I add a role it an account it takes ages before they can use it. I've tried role comparisons and $sync to fix. Oddly, this only occurs on an application server. Normally I log directly into the DB Server and to get around this problem, I log into the applcation server to change accounts.
One other symptom, when doing an SU53, the check says something along the lines of "authorization is in the user master but not user buffer".
Answer:
damo, your issue is obvious, and having the user execute transaction SU56 will reveal that he has a buffer underrun issue. Review his profiles, does he have too many? Another issue is that of memory. I Cannot remember how to navigate to it right now but in one of the ST transaction (st03 maybe) there is a way to look at the part of shared memory that is used for all user buffers, if a particular app servers is showing an unusual reading.. (I think it was that it shows it too high) then users will be calling in with authorization errors, and if you have your help desk ask what appserver they are logged into, you will notice that all the users calling are logging into the same appserver, getting them to log out and back in fixed their problem not because of table syncs but becuase they logged into another appserver (load balancing) and the other app server was sharing this memory area correctly. The reset of the appserver will cause this area of memory to read normally again and all the user errors will cease.
This is why I have concluded that the expert Security Administrator has to learn more than the Basis Administrator because he has to be able to learn both, Basis and Security, and even ABAP if he is going to ever write his own monitoring tools. I am starting to realize that many security issues are related to poor maintenance by the Basis Admins, and the only way the problem is going to be fixed is for the Security Admin to proove to the Basis Admin that his red alerts in his memory do need to be addressed and are not "normal".
That may not be your problem guest but is something to look at. Also you have to look at how your assigning the roles to the users. Do you use structural authorizations in the HR module? Do you Use Composite profiles created with SU02, are you assigning profiles to the user master record without a menu?
Answer:
Heh, perhaps you're right. However I don't think my problem is with the lack of user buffer area. ST02 reports no "red" problems. Fortunately I have SAP systems with more memory than required. I think my problem is in how SAP buffers authorisations. I will investigate the auth buffering profile parameters.
As for whether a Security Admin needs to know more than a Basis Admin, I will only partly agree with you. A security admin needs to know more on the functional side of SAP. They MUST understand how the business runs. Otherwise how would they know what authorisations to assign a user.
However, a Basis admin needs to know a high level of Security, ABAP and to some degree how the business operates. But Basis also needs to know about the hardware SAP runs on, the frontend and the network between the two. Failure to know these things will result in PC Admins, Network Admins and ABAP'ers all blaming the SAP Admin for poor performance and such.
Over to you.
Answer:
To follow up, I'm confident that the problem is in parameter auth/new_buffering. It's currently set to 2 and I'm thinking of moving it back to the default 4.
This might be something the person having the copied user problem could look into.