1. Log on to client 100 of the appropriate SAP system.
2. Go to transaction PFCG.
3. On the Role maintenance screen, type in the Role name of the first role to be transported. Click the Truck picture-icon.
4. You will see an Information popup. Click the green √ picture-icon.
5. In the Choose objects popup, unclick the □s beside User assignment and Personalization. If you want to transport the users along with the role, profiles, and authorizations, you can √ the □ to the left of User assignment. Click the green √ picture-icon.
6. On the Prompt for Customizing request popup, click the blank page picture-icon to create a new change request. On the Create Request popup, fill in the Short description and click the Save picture-icon. You will be returned to the Prompt for Customizing request popup which contains the generated change request number for this system change. Click the green √ to continue.
7. You will see a Data entered in change request message in the status bar at the bottom of the screen. Now enter the name of the next role to be transported and click the Truck picture-icon.
8. You will see an Information popup. Click the green √ picture-icon.
9. In the Choose objects popup, unclick the □s beside User assignment and Personalization. If you want to transport the users along with the role, profiles, and authorizations, you can √ the □ to the left of User assignment. Click the green √ picture-icon.
10. On the Prompt for Customizing request popup, continue to use the same transport you created in step 6. Click the green √ to continue.
11. Continue to perform steps 7 through 10 until all the roles you need to transport have been attached to the transport change request.
12. The generated transport can now be released and transported into the clients needing the modified roles.You may now leave the PFCG transaction
Creating a User Role
Users and Passwords
Question: Hello,
Can anyone tell me that where to see list of users and their corresponding active passwords.
I have seen tables usr01, usr02, usr03 and all other usr's.
There is a field of password but i think that it is the initial password.
So can anyone tell me from where to see the current password .
And i am sure it would be encrypted so also pls suggest how to decrypt it.
Dont think that i am trying for illegal access as i am myself a Basis administrator and such a requirement has come up for me.
I would appreciate any help on this issue
Regards
suril2031
Answer:
Hello snowy and moderators,
I hope there is nothing wrong with the poll that i have kept.
Pls inform me if anything is wrong.
And moreover also pls provide info about basic rules for keeping polls
Regds
suril2031
Answer:
This is not a poll but a question of specific nature... A poll would be...
Should SAP consider keeping the password of a user in clear text. NO
Is there use for a Initial password not reset report... There is one...
Not "tell me..."
Can anyone tell me that where to see list of users and their corresponding active passwords table usr02 field BCODE . If LTIME = 000000 Then the password is initial...
You cannot decrypt the password... The whoel rason for passwords it to keep it secret. You have the power to change it not view it...
Answer:
"John A. Jarboe"]
This is not a poll but a question of specific nature... A poll would be...
Should SAP consider keeping the password of a user in clear text. NO
Is there use for a Initial password not reset report... There is one...
Not "tell me..."
Hello John,
I was putting similar kind of polls in my previous posts but moderators deleted them.
So I have put such a poll.
Suril2031
Answer:
What's the obsession with polls? they just annoy people who would otherwise answer your questions
Answer:
Amen.
Answer:
Ummmmhhhhhhhhh.... - for Buddism.
Answer:
example for poll:
how do you like SAP's new SAP notes search engine?
asking how to decrypt password should not be a poll.
I had enough with these useless polls.
Users active profile and roles
Question: Hi ,
How to know the active users profiles & roles.
How to get them from SUIM.
Thanks
Answer:
Hello,
profile tables: USR04 (historical USH04).
roles table: AGR_USERS & AGR_USERT.
Nice weekend
Answer:
in SUIM go to Roles -> by user assignment and input one user ID to get roles of particular user or input all users (write *) to get all roles which have at least one user assigned to them.
You won't get nice list from SUIM for profiles so use tables as suggested earlier. However basically profiles are directly related to roles, except of profile SAP_ALL, so it should be enough information from roles.
users able run tcode without access
Question: Hi All,
Some of our users are able to run transaction code AL11 with out having access to it.when i search in suim for the role which has AL11 value in S_tcode and is assigned to the user, it says no role found..but the users are able to run it...How is it possible ? I check in debugging mode, AUTHORITY-CHECK statement is successful.
Can anybody tell why this is happening so..
Thanks,
Chittaranjan
Answer:
I found that I have maintained values as folows..
for S_TCODE object..
to avoid giving access to AL11 ,
S_TCODE from A*...............to AL10*
and again from AL12*.............to OB51 .
with this users are having access to AL11...though it is not coming in any report of SUIM...
If i change it to following then..it works fine..
S_TCODE from A...............to AL10*
and again from AL12*.............to OB51 .
So, because of A*, users are having access..
Please give some input on this .I think if i maintain it as A in stead of A*...users will loose access to some tcodes in between A-AL10 .
Answer:
Do a search in your role for Authorization object using this criteria:
Authorization Object: *Tcode*
We always assume that S_TCODE is the only T_CODE object but unfortunately there are others (P_TCODE, I_TCODE etc...).
Alternately you can also search for Field Name: TCD
That will show you all transaction fields in your role.
Hope this helps
Answer:
I believe that the A* means 'all Tcodes beginning with A' and thus takes the whole range of Tcodes beginning with A.
I've never used the * in a range, preferring to limit by the actual Tcode designation. So I suggest you use A - AL10 and AL12 - OB51 and this should solve your problem.
If it doesn't, consider whether AL11 is called by (or embedded in) another Tcode.
_________________
Best Regards
Bazza
Answer:
even if we given Ranges in roles , SUIM will check ranges also
Answer:
I don
To overcome such problems one SHOULD never use the * value for S_Tcode. This is bad practice. When you need to assign many transactions ONLY assign specific ranges so in this case AA00 to AL10 etc.
Be aware also that EVERY Aduitor will be alarmed when finding the * value for any S_TCODE TCD field in any role.
Users
Question: I've just created a new role with access to assign specific roles in SU01. I also want to limit the users to only creating Communication and System users as the colleagues creating the access are outside my security team and I don't want them creating dialogue users if I can restrict it.
I've had a look in Basis Admin but can't find anything. Does anyone know if this is possible and if so which authorisation object do I need to use
Thanks
Answer:
Not as delivered by SAP. there is a "user Exit" you could use to check this. It will take some sophisticated programming to accomplish this but it is possible.
Answer:
There are other ways to accomplish this programmatically without the user exit. It may also be possible to do this without any program.SXend a note to my sapfans inbox and I'll share some with you. (No obligation; however, they are a part of some proprietary methodologies that I don't want haging around a bulletin board.)
_________________
user-role-tocode or infotype and mode of access to IT
Question: Hi Gurus:
I am working on a response to security audit of our system. I am wondering if you know a report (prefered) or a mix of reports/tables that would give me the data in mass data form, such as: Who are all the users in the system, their roles, their access to t-codes and the Infotypes they can access and the mode of access to the infotypes.
Any input will be appreciated.
Thanks,
Answer:
Hi,
Have a good old rummage around in trasaction SUIM. There are a multitude of possible reports which can be farmed from there.
Cheers,
Answer:
Thanks beem, but SUIM is good for a few users or roles...it is no good when you try to output all the transactions in all the roles.
I don't think it gives you the relationship of roles to infotypes at all. Correct me if i am wrong.
Thanks,
Username And Full Name Query
Question: Is it possible in SQL to get a list of usernames and the relevant full name that is assigned?
I know this can be done in the SUIM, but was wondering how to do this in SQL.
I can "select bname from usr02" for example, but this does not show the long names, and have only found one table so far (adrc) that shows the full name, but appears to have no relation to other tables.
Looking in SAP itself, for example in SU01, I can bring the technical information up for the field, but it does not state the table name where it is pulling the data from.
Any help would be greatly appreciated.
Answer:
If it helps, the field name I'm looking for (in Oracle somewhere) is NAME_TEXT. Although I don't know of any functionality to search for this within a list of tables.
Answer:
Have a look at table V_USERNAME
Answer:
Thanks, that's great.
I don't suppose anyone knows where I can pick up the roles assigned to a user in the same way?
Answer:
AGR_USERS. Beware of expirations!
Answer:
You are a Legend.
Thanks for all the help.
username
Question: hello all
whenever i start my saplogon and try to logon to sap,it displays the list of all the user that have loggod on earlier.i dont want that list to be displayed.how can i do that.
thanks
kaul
Answer:
displays the list of all the user that have loggod on earlier.
Which list is that?
Check the user exit in the logon program. You are perhaps in SM04 or Al08 transaction?
Bob
Answer:
When the GUI comes up (620) you'll see an icon that has color bars in a display (Alt-F12). It brings up a menu. Choose Options.... One of the tabs says Local data. There are options for keeping history and clearing history. Try these. I only tested clearing history. You may want to try turining it off and on and reporting back.
_________________
