7.18.3 Gathering Authorization Data
Let's explore where to find authorization data in the SAP system.
Statistical Trace Data: Transaction STO3N
One treasure trove of information related to transaction execution
activity is the Workload Monitor. You can access it via Transaction
STO3N. Among many other things, it shows you user transaction
execution activity. Using that information, you can analyze what
transactions your users executed over the past few months. The
exact timeframe depends on your system configuration. By default,
your SAP system retains three months’ worth of usage data, unless
you changed the configuration.
We generally recommend accumulating between three to six months’
worth of usage data to get a good overview of what transactions your
users use. If you have SAP GRC Access Control, you can get the
same information from SAP GRC’s Action Usage Report (table
GRACACTUSAGE)
The next step is to optimize your roles by merging Transaction SU24
proposals. If you haven't maintained your authorization proposals yet,
it's recommended to optimize Transaction SU24. By bringing in
Transaction SU24 proposals, you have taken the first step to
populate your roles with authorization fields and values. Unfortunately,
not all the objects you need in your roles are available via Transaction
SU24. So, the next step is to find out what fields and values you need
to properly authorize your users, including organizational values.
Authorization Fields and ValuesTransaction STO3N does not include authorization objects below the
transaction (TCODE) level. As a result, we have to leverage other
trace sources, such as Transaction ST01, to get an idea of what
authorization fields and values are required for the roles we are trying
to build. Additionally, you will have to determine the proper
organizational fields and values for each user. For the latter, you can
retrieve the necessary information from a variety of tables, based on
the type of data you need.
For instance, if you are building a role to authorize users to change
purchasing documents, you can look at table exko for information
about which users made changes to purchasing documents and what
the associated org fields were.
Using that information, you can fine-tune your roles and make sure
your users are properly authorized based on the relevant
organizational values.
7.18.4 Testing Role Changes in Production
Once you have built new roles as part of your redesign project you
have to test them. Unfortunately, SAP offers very limited tools to
automate that process beyond individual trace files. Analyzing those
traces for hundreds or thousands of users without proper reporting
and gap analysis is not feasible. Instead, you can leverage the
productive test simulation (PTS), which is part of the Xiting
Authorizations Management Suite (XAMS), as described in SAP Note
1682316 - Consulting: Optimizing RFC User Authorizations.
Using this technology, you, as a role administrator, can test new roles
in a production environment without negatively affecting end users. To
accomplish this, XAMS leverages standard SAP reference users
(user type Reference).Let's say you want to test the new roles you created for user Dave.
Via the XAMS, in production, you would create a reference user,
assign the new roles to that reference user and then assign the
reference user to Dave.
Why use a reference user? The answer is simple: anytime the SAP
kernel performs an authority check, it does so against the reference
user first—if there is a reference user assigned. If that authority
check fails, then the SAP kernel performs the same authority check
against the dialog user. If that authority check succeeds, SAP logs a
return code 0. With the help of the XAMS, you can analyze these
return codes and quickly export roles containing the missing
authorizations. Using the exported roles, you can fine-tune your new
roles in development and transport the changes up to production.
7.18.5 Automate Role Creation and Testing
While the steps discussed thus far about the creation of new roles
help you to gather the required information to build proper roles in
SAP, they are time-consuming and error-prone. As a result, the steps
are impractical if your goal is to build roles for more than a handful of
users. However, you don't have to perform the steps manually. To
automate and simplify all the tasks we have described above, you
can leverage XAMS.
With the XAMS, you can:
* Streamline the analysis and processing of trace data
« Instantly identify missing Transaction SU24 proposals
+ Enable role administrators to build roles based on statistical trace
data and via a drag-and-drop interface+ Automatically enrich the created roles with business data, including
the required organizational fields and values
+» Simulate new roles based on user activity in production to identify
any missing authorization fields and values with the PTS
+ Replicate individual roles across organizational units