This website is not affiliated with, sponsored by, or approved by SAP AG.

log roles changes when using PFCG

SAP Security

Moderators: Snowy, thx4allthefish, jurjen

log roles changes when using PFCG

Postby Penelope » Sun Jan 25, 2009 6:56 pm

Hi

Just wanted to know if there is any log available that shows authorization objects' field values after and before any changes in SAP roles.

Thanks!
Pen.
Penelope
 
Posts: 28
Joined: Wed Feb 21, 2007 11:08 am
Location: Buenos Aires - Argentina

Re: log roles changes when using PFCG

Postby isabellaswancullen » Sun Jan 25, 2009 8:39 pm

Hi,

Yes. You can play on tcode SUIM>Change Documents.

Regards,
Belle
isabellaswancullen
 
Posts: 26
Joined: Tue Dec 02, 2008 8:12 pm

Re: log roles changes when using PFCG

Postby Harters » Mon Jan 26, 2009 4:23 am

This doesn't show the values of the fields changed as wanted by Pen. Even using change docs in SUIM under "Authorisation Data" radio button doesn't give the actual field values. Yes it tell you what objects where changed but the values show as "UNKNOWN" - at least in 4.6c and 4.7
Tables CDHDR, CDPOD, CD1251 don't help either.....
Regards
Harters
______________
SAP Support Ltd
sapsupport.co.uk
Harters
 
Posts: 229
Joined: Thu Feb 07, 2008 8:03 am
Location: Sitting in front of 21 SAP systems

Re: log roles changes when using PFCG

Postby ket » Mon Jan 26, 2009 11:23 am

Try looking at SUIM change doc's for the profile.

The screen shows all the auth objects that have been created / deleted. Click on the object to see the values created / deleted.
ket
 
Posts: 267
Joined: Wed Nov 06, 2002 10:47 am

Re: log roles changes when using PFCG

Postby Harters » Mon Jan 26, 2009 11:49 am

Well you learn something new every day with SAP.
It does show the changes however there is still a floor with this...

I created a role a few weeks ago - test role in my dev systems.
Today I amended a value in an object to try nd help Pen find the logging.

Yes, the changes do show in the SUIM profile change log as you say and i can see the entries before and after with time stamp.

However, if I search for chang.e docs for that profile for today I get no results. if I search for the day I created the profile then i get the object creation and then the subsequent changes after drill down - so if a role/profile was create 2 years ago then it seems you have to search from 2 years ago in order to pick up the object creation date and then you get to see the changes with todays date for example.
Regards
Harters
______________
SAP Support Ltd
sapsupport.co.uk
Harters
 
Posts: 229
Joined: Thu Feb 07, 2008 8:03 am
Location: Sitting in front of 21 SAP systems

Re: log roles changes when using PFCG

Postby Penelope » Tue Jan 27, 2009 7:18 am

Ok, I see the changes now.

I looked for a role/profile created in 2005 and modified last december. Then searched for dates between dec 1st and today. I could see the last change...

Could it be the different sap versions the reason why you have to make a search for the profile creation date?

You guys are so smart!!

Thanks!
Pen.
Penelope
 
Posts: 28
Joined: Wed Feb 21, 2007 11:08 am
Location: Buenos Aires - Argentina

Re: log roles changes when using PFCG

Postby thx4allthefish » Tue Jan 27, 2009 8:34 am

are you talking of report RSSCD100_PFCG?? please go to service.sap.com/notes first and check for the latest corrections for this report. some of its errors will be solved after you implemented the notes.

as for changes from 2005 up to now. if you had a couple of upgrades in that system, there will have been the switch from profiles, sample-profiles, activity-groups and -finally- roles. depending on the release your system started with, the changes in the architecture of authorizations was a major one.
curiousorange wrote:I give up. Humanity isn't worth saving. Why is there never a Vogon Constructor Fleet around when you really need one?
thx4allthefish
 
Posts: 5694
Joined: Sat Oct 26, 2002 6:18 pm
Location: barolo barrel

Re: log roles changes when using PFCG

Postby ket » Tue Jan 27, 2009 9:58 am

You could use SUIM change doc's for Authorizations.
Transx S_BCE_68001441 / Prog RSUSR102

Be sure to enter the profile name with a star on the end to return all the authorizations.

If you leave the object blank on the selection screen you will get changes to all objects sorted in object order.

This report looks at the authorization in the profile. Authorizations keep the same name as the profile, along with a level number. It's what gets nicely renumbered when you choose UTILITIES - REORGANISE before generating a profile in PFCG.
ket
 
Posts: 267
Joined: Wed Nov 06, 2002 10:47 am

Re: log roles changes when using PFCG

Postby Harters » Wed Jan 28, 2009 4:35 am

Fish - the report you mention is probably not up to date in my system as it still doesn't show the values.

Ket - that report works fine.

thanks both,

.Pen - I trust this is good for you as well.
Regards
Harters
______________
SAP Support Ltd
sapsupport.co.uk
Harters
 
Posts: 229
Joined: Thu Feb 07, 2008 8:03 am
Location: Sitting in front of 21 SAP systems


Return to SAP Security

Who is online

Users browsing this forum: No registered users and 7 guests





loading...


This website is not affiliated with, sponsored by, or approved by SAP AG.