Question:
Are Auth. Objects with the Check Indicator 'Check/Maintain' (CM) the only relevant objects interrogated by a program, or are Check (C) and Unmaintained (U) also checked?
I am using SUIM to check who has 01,02, or 06 Activity access for the associated transactions and noticed a number of auth. objects (using SU24) with CM, which I am querying, but am not sure C an U are relevant as well. I chose this approach vs. looking through every programs source code to identify every auth. object that is Authority Checked.
Thank you!
Answer:
THe SAP code checks all authorizaiton objects that are in the path the user takes regardless of an entry in SU24. It is the return code that the code gets from the kernel that counts. If the authorizaiton object for a tcode in marked "N" and the authorizaiton object is in the code path the user takes then the authorizaiton return code is set to '0' (pass) regardless of the user's access.
THe entries in SU24 can be in any column U, N, C, CM and can have no bering on what is checked or not checked. SU24 is only 65% correct, do not use this as your "go tot he bank" source of information.
Answer:
Thanks John,
Any suggestion for determining which auth. objects to query with SUIM, other than reeviewing source code?
Answer:
Only by learning the business processes and understanding the make-up of the authorization objects will and report in SUIM make any sense. Also spending a lot of time in ST01 auth traces and learning security without PFCG.
Knowing that the center 4 characters of an auth object ( there are exceptions) indicate the table being updated so you can determine what is needed. Example: posting an acounting document would require the BKPF objects, but that alone is not enough as you have to know how your system is used as not all the BKPF objects are needed if auth grups are not used or you onle post to vendors...
SO no SUIM is usless by itself without the knowlwege to understand it.
Answer:
If you do not have a business process master list which relates into "entry points" (trying to avoid the word S_TCODE here...)... then you are not able to determine the required on / off / add for your control requirements.
If they exist...
Ask your auditors?