Skip to Content

[This is a copy of the same page on Code Exchange on SDN which shuts down end of August 2013. Therefore, I move my projects here to SCN.]


We like to introduce a new Code Exchange project which was the result of a student practicum during the last weeks.

The purpose of this new program Z_USCRAUTH is to simplify the maintenance of critical authorization definitions used by Report RSUSR008_009_NEW. Using this program you can import an XLS sheet including the needed data or export the content of the database to an XLS sheet. Furthermore it gives a clearer overview of the authorization data in the form of some tables.

Finally we’ve published a file representing the checks of the SOS: https://service.sap.com/sos -> Media Library -> Media Library -> Security Optimization Service – ABAP Checks

Kind regards

Julius Daub and Frank Buchholz

ABAP Source Code

You find the source code on the corresponding wiki page.

ABAP source code:

http://wiki.sdn.sap.com/wiki/download/attachments/343933423/Z_USCRAUTH.txt

XLS sheet:

http://wiki.sdn.sap.com/wiki/download/attachments/343933423/SOS.XLS

Documentation

This report is used do export/import the definition data which are used by the report RSUSR008_009_NEW about critical authorization and variant of the user information system, transaction SUIM that you usually maintain within that report or using transaction SU_VCUSRVAR_CHANGE to/from an Excel-sheet.

This is much more convenient than defining it in the UI of the report.

Initial Screen

Z_USCRAUTH_01.png

There are three actions that can be performed by the report. In (1) you choose the action to be performed. In (2) and (3) you can define criteria of selections for the data you want to get.

In (4) you have to choose an XLS-sheet file name whose data you want to be imported or where you want to export your data to.

Actions

Show Data

Only shows data selected in (2) and (3) on the screen in the form of 6 tables.

Z_USCRAUTH_02.png

(Part of the info-screen)

Export Data

Exports data selected at (2) and (3) to the XLS selected at (4), generates a preview inside of the report and shows the same screen as Show Data. If the file already exists, it will be overwritten; else a new file with the pathname selected at (4) will be created.

Z_USCRAUTH_03.png

(Preview of the Excel-Sheet inside of the report)

Z_USCRAUTH_04.png

(Exported Excel-sheet)

Import Data

Imports data selected at (2) from the Excel sheet selected at (4), writes it to the database and shows it on the screen as in Show Data. In Addition the report shows a change log of the data on the screen.

Z_USCRAUTH_05.png

(Change log)

If the data in the sheet is obviously incorrect, the changes won’t be performed and an error message will be displayed.

Z_USCRAUTH_06.png

(Wrong Data in the XLS)

Z_USCRAUTH_07.png

(Error Message)

Tips concerning the Excel file

  • The attached File contains the main part of the authorization data out of the SOS document, but it’s possible that there are some small mistakes.
  • The first column (TABLENAME) defines the table
  • The sort order of the file does not matter.
  • The entries for table USRVAR and USCRAUTHID are optional.
  • The TEXT field in USRVARID and USCRAUTHID is optional.
  • If you omit the language it will be replaced by the logon language.
  • Color Code 6 = RED
  • Color Code 3 = YELLOW
  • If you omit the color code it will be replaced by 6.
  • Have a close look to numeric data: To enter leading zeros use ‘ to avoid that Excel removes the leading zero. (This report repairs wrong data in case of the activity field, ACTVT, automatically.) Example: Enter ’02 instead of 2
  • If the file is opened in Excel during executing the report, an error message will appear: “Excel file … cannot be processed”
  • It’s recommended to use the attached file as template for your own file; you can also export some data to another file and edit this one.
  • If you want to create your own source file, this file has to follow this structure to get correct results:
Record type Column A B C D E F G H
USRVAR (definition of variants) TABLENAME VARNAME
USRVARID (assignments of critical authorizations to variants) TABLENAME VARNAME AUTH_ID (TEXT)
USRVART (short texts of variants) TABLENAME VARNAME VTEXT LANGU
USCRAUTHID (definition of critical authorizations) TABLENAME AUTH_ID AUTH_COLOR T_CODE
USCRAUIDT (short texts of critical authorizations) TABLENAME AUTH_ID TEXT LANGU
USCRAUTH (details about critical authorizations) TABLENAME AUTH_ID CR_AUTH OBJCT FIELD LOW HIGH SEARCHTYP

Limitations

  • The “Text-Search” is not finished
  • Garbage in – garbage out: There exist some input checks on the data but you should only use correct files to avoid trouble.
  • If you enter wrong, duplicate data you might get a dump.
  • If the file is locked in Excel you might run into trouble
  • No transport interface. If you want to transport the definitions you
  • Use transaction SU_VCUSRVAR_CHANGE to add them to a transport.

Related links

Online Documentation – Users with Critical Authorizations (RSUSR008_009_NEW) http://help.sap.com/saphelp_nw70ehp3/helpdata/en/f9/558f40f3b19920e10000000a1550b0/frameset.htm

To report this post you need to login first.

9 Comments

You must be Logged on to comment or reply to a post.

  1. Kesayamol Siriporn

    Frank,  do you know of any Blog entry, Wiki, or another kind of help document for usage of RSUSR008_009_NEW ?   I never used it before but would like to see real-world implementations, or advice. 

    (0) 
    1. Frank Buchholz Post author

      Hello Kesayamol,

      I just know about the Online Help (link added to the blog) which includes a small example. I suggest you start using this report with such a simple example for Critical Authorizations and try to get the same results with report RSUSR002 and RSUSR008_009_NEW.

      Kind regards

      Frank

      (0) 
  2. Will Dunkerley

    This looks fantastic Frank, I have this in a sandbox currently and will be using it in Dev shortly. It looks like a big time saver and it may save me from pulling my hair out in frustration 🙂

    (0) 
  3. Christophe Fleury

    Hi Franck,

    Great Document !

    In my GRC project, Two years ago, we used the BCSETs possibilies to deploy the customization of RSUSR008_009_NEW. So with SCPR3 and SCPR20 transaction, we were allowed to put all the rule in other SAP landscape. Moreover, it is like a “backup” for P.R.A processes…

    Regards

    Christophe

    (0) 
  4. Christophe Fleury

    I have just finish an abap program that allow, in one click, to have the SOD conflicts in a client. As it is an Abap program, you can transport it in the landscape.

    If you want some information, tell me.

    Regards

    Christophe

    (0) 
        1. Will Dunkerley

          Hi Christophe,

          I would be very interested to see your program. I have used Frank’s solution to simplify our maintenance of our critical authorizations variant, but I would be very interested in any program that you have created to identify SoD conflicts.

          We have our own matrix, but we would like a better tool to use it 🙂

          (0) 

Leave a Reply