4 weeks ago
we are trying to restrict S_PROGRAM with * value
To find out and analyze what tables and programs user accessed past 6 months.
1. we have checked the program/table usage via SM20 logs for users but is there any way to check in S/4 system for program/table usage of user through which role it is being accessed through any other standard tcode /reports?
2.If we have any other possible way to get the program/table usage of users and through which role it is being accessed through any GRC standard tcode/report?
Hello,
the answer for both questions is 'No'.
There is no log for which 'role' granted an authorization for a certain action in the SAP system, for which an authority-check was performed.
Background: a role is just a box, which contains, beyond other data, the authorization profile. This profile contains the authorizations. the authority-check, which is logged in the system, compares only that authorizations with the requested values in the coding (abap statement 'authority-check'). With which 'boxes' an authorization was assigned to a user does not matter at all and is not evaluated (also because of a performance reason).
If the admin does not know, with which roles he assigned which authorizations to a user, he can still use SUIM to find that out. (for instance by using the report 'users by authorization values')
The best way to find out, which authorizations a user really requires is, to use the long term trace 'STUSERTRACE' (see also SAP note 2220030 ). It records each auth.-check once for each environment. After some time (some weeks/month) all the checks are available in the trace result (filter for instance for object S_PROGRAM). Furthermore a role can be created directly from the trace result, containing only that required authorization values (see also SAP note 2353127 ).
b.rgds,
Bernhard
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
81 | |
11 | |
10 | |
8 | |
7 | |
6 | |
6 | |
6 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.