Question:
Hai Everyone,
I am new to SAP security,I am looking to find authorization objects associated with a particular transaction.
Can anyone help me please.
Thanks in advance
guest
Answer:
Tables USOBT and USOBX contain the relationship between a tcode and auth objetc.
Using SU25 step 1 you initialize USOBT_C and USOBX_C which are the real tables used (PFCG uses this tables). Read SU25 help button!!!!!
Using the SU24, you browse in USOBT_C and USOBX_C. Here you will find what you need.
Bye
Andrea Cavalleri (Italy)
Answer:
You can also run a trace (transx ST01).
Answer:
SU24 is a guess, ST01 is slightly more informed & returns what the code checks in most cases.
Answer:
I've just moved companies and heve been told that SU24 ( running 4.6c system )has not been used to maintain objects against transactions - SU25 has only been used once ( in 2002) to initially populate the Cutomer tables USBOT_C and USOBX_C as per step 1. So, all role maintenance and any new objects are manually inserted in roles, problem with this is that I have no idea what transaction a manually inserted object is related to.
A couple of questions:
a) if a fix or upgrade is currently applied which brings in a new object, will that object automatically be added to the customer tables _C, or do I need to do something else, so that I pickup the new objects ?
b) if I now run all the other steps of SU25, I suspect most of the current roles will need re-checking and generating again - any other pitfalls to look out for.
help most appreciated
Answer:
Are roles maintained in the production system?
If you plan to stick around for a while, it will probably be easier to start over again based on (but not relying on) the roles which you have.
You could also contact an expert and try to sue the company which did your implementation for negligence and incompetence and false pretences.
Tarr
Answer:
sue the company
Depending on the contract you have had and the jurisdiction it falls under, of course.
In common law it is difficult as ignorance is often a "punishable" mitigating circumstance against the contractor. In codified law and the US, it is a bit different for various reasons.
Law is after all a social science which also considers risk and probability of it based on the commercial environment.
Tarr
Answer:
Tarr, Sue the company? What for? Maintaining SU24 is a dog's mess. It probably ought to be done for the most common transactions (i.e. neutralized) but maintaining it across the board is a fool's errand.
I don't think that 5% of security consultants could adequately manage SU24. My advice is, for the most part, leave it alone.
(Do take out F_BKPF_BUP in all the transactions it appears in and if you don't use authorization groups take those out as well but most everything else is a royal pain to keep up with and you won't get it right anyway.
Answer:
thanks for the response folks, but I don't think sueing is an option, plus I still have the mess to clear up. So, as it stands then is my most reliable way to manage the authorisations is to do so directly in the customer tables USOBT_C USOBX_C and to continue with manual insertion into roles. What happens with any fixes or updates applied to the system ? do any new objects and/or object assignment to transactions automatically get updated to the customer tables ?
thanks in advance.
Answer:
MAintian SU24 it will be time consuming at first but will reap long-term benefits as the roles start to correct themselves and prevents ou from re-"inventing the wheel" for the same tcode.. You can search this site for more info on pros and cons ( mostly pro's with a very few desenters)