Question:
Anyone ever use reference users?
Any pros or cons to using them?
Can a user be asigned multiple reference users?
Answer:
Reference users are a loop-hole in SAP security and should be eliminated. Nice Idea but poorly implemented. You can assign only one reference user to an ID via standard tools ( SU01).
The main cons are:
1. There is no authorization checks to see if you are authorized to assign the role the reference has to the target user ID
2. You can configure the system to ignore the type of user Id used as a reference user so you can assign SAP* to any user, SAP* generally has SAP_ALL
3. You can manipulate the table that stores the reference user assignment so that you can has SAP_ALL almost undetected ( the SUIM reports can show you have a refrence user Assigned but few look at the report or know what the ID means.
Pros
1. Allows you to patter an ID after without assigning roles
2. easy to change access to many users
Answer:
John,
Which table contains the "reference user" assignment?
Answer:
Try USREFUS
Regards
Answer:
Reference users are a loop-hole in SAP security and should be eliminated. Nice Idea but poorly implemented. You can assign only one reference user to an ID via standard tools ( SU01).
I agree about the poor implementation, but it has improved. You can defend yourself against:
1) with an entry in PRGN_CUST with the various values for a param called REF_USER_CHECK or similar. Corrections to the modules for the AGR and PRO checks are available in patch levels from about October 2004.
2) You can configure the system to correctly check the reference user type and existence and also remove the entry field in SU01 altogether.
3) You can control the manipulation of USREFUS and also control it's contents.
The biggest contra: Incomplete audit trails.
Ned
Answer:
Reference user was meant to assist in license auditing.
Answer:
How?
Answer:
It's documented in licensing audit docs.
Create a reference user with the correct license type. This user should not have roles. Then in SU01, set your users to this reference user.
Reference user is not meant to be used productively. Hence SAP will exclude reference user from the license count. The measurement will be sent to SAP.
Personally, I don't find reference user very useful. It's faster to write a report to mass update the license type.
Answer:
That is only one use of the reference user you also get the ref user's access, it is far more prudent to just maintian the value in SU01 when you crete the user.. SAP Provides reports to "mass maintain" the liscense type tcode USMM (User classification)
Answer:
In 4.6 when you are using SUIM, it only checks on the authorization assigned directly not from the reference user roles.
e.g. if your reference user REF_DEV has access to let say se38 and the user JONES has the REF_DEV as reference user and he has also other roles assigned direclty which does not containing SE38, SUIM will not pick up JONES has having SE38 if you search for.
It is possible that there is an OSS notes to correct it but I gave up on using it as it causes to many problems.
Answer:
The SUIM user reports will however list the reference user in the last column. So you can "eyeball" it.
Answer:
That is only one use of the reference user you also get the ref user's access, it is far more prudent to just maintian the value in SU01 when you crete the user.. SAP Provides reports to "mass maintain" the liscense type tcode USMM (User classification)
Try to set the license type to "multi-system user" for every user and you will know what I mean.
For release below 610, the USMM is unfriendly for mass maintenance. Even the SAP contract folks agreed with me on this one.