Question { 8458 }

In 4.7 EE, we have an option as User -> Settings ->
Automatic Comparison at Save.
Is it right if i say that this option checked will
automatically prompt for User cpompare when we simply save
the data after entering the users to the role?
But whether the option is checked or not i did not get any
prompt for User compare on saving the data after entering
Users info in the role.

My another doubt is whats the difference between User and
Complete Compare options. If i dont do complete Compare,
wiill that effect? Is it right if i say that User compare
assigns the users to the role and Complete Compare updates
the user master recoirds , i.e., User master record
comparison is current.

Answer

Hi,
This is Subal from Accenture.
the option is :Utilities-->settings-->
Automatic UM adjustment whn saving role.

If you check this option system will not prompt you for
user comparision rather it will actually do the complete
comparison while saving the role.
you can easily check this by watching the status message
carefully [reconsiliation.....]while saving the role.
This is the reason why it takes longer time while saving
the role as compared to normal saving.

Question { Accenture, 26729 }

Hi This is Prakash .

Can any one tell me what is the use of SU24 and SU25
transaction code exactly

Answer

Hi ,
This is Subal working @ accenture.

SU25- It is used as one of the post installation activities.
There are already two tables usobt [contains related
authorization objects associated with a particular tcode]
and usobx [check table ie what all authorization objects
will be checked ["yes" ]in response to access for that
particular tcode].

So when we perform SU25--> initially fill the customer
tables:
usobt gets copied to usobt_c
usobx gets coppied to usobx_c
Su25 should be performed for one time.

c stand for customer specific.
----------------------
SU24 is used to display/change what all auth objects are
kept as check yes/no [Or do not check at all]
we can maintain/change the option as well.

For Eg: tcode su01 is related to 53 auth object but only 10
are kept for check "yes" --> these 10 object can be
maintained from PFCG later on.

Question { IBM, 19034 }

In ECC6 can we change the number of dialog workprocesses
without restarting the system and with out using operation
modes?

Answer

Answer will be No, we can not because of the two condition
included.
1]with out restart--> bar the use of parameter[RZ10]
2]With out OP Mode--> bar the use of RZ04

Regards,
SUBAL

Question { 9693 }

How can a client be locked?

Answer

I dont know about direct tcode:
You can proceed following way:
Call SE37-->Execute Fn module:SCCR_LOCK_CLIENT.
It will ask for value of client
Enter the client No and Save.

Question { IBM, 23544 }

wha is the purpose of parameters tab in su01?

Answer

Hi,
This is subal from Accenture.

The frequently keyd data can be stored by using parameter.
for Eg: If you are running Va01,in its initial screen you
need to put all field value every day like sale
org,distribution channel,sales area etc.
We can reduce this hectic job by storing the parameter
value in SU01--> parameter tab for that particular user.
Enter Pid and value there and save.
from next time onwards if the user hits Va01 he will get
all the values automatically coming in initial screen.
similar like "variant".
if issue in understanding call me :09246275973

Regards,
Subal

Question { 36178 }

what is the use of tcode pfud?what is it's advantage?

Answer

PFUD is used to perform User Master data comparison
Massively.

Advantage is it can do the comparison massively as compared
to the PFCG [Though from PFCG we can go to PFUD].

Question { IBM, 7153 }

when user sends su53 report how do you which of his roles
you need to modify?

Answer

Hi,
This is Subal from Accenture.

steps:Goto SUIM-->roles by complex selection criteria
Enter the authorization object name in object field:
enter those auth fields with values that are showing on red
shadow in SU53 report.
click on execute
this will show all the available roles that are holding the
missing authorizatin.
It's a best practice to see if there is already role
available or not before modifying a role.
----------------------
Role modification:

First see if the access[tcodes] belongs to which functioanl
module/area then reach out to relevant Business Process
Owner and ask them which parent role to modify.
After they suggest /approve you can go ahead and modify the
role.

Question { IBM, 13485 }

If you don't have authorization for executing suim tcode,how
do you get user reports?can you access usr* tables in se16
without authorizations for suim?

Answer

Hi,

You may not have access to tcode SUIM.
but please see if you have access to Roles by complex
selection criteria and so on.Like following:

S_BCE_68001425 - Roles by Complex Criteria
S_BCE_68001420 - By transaction assignment
S_BCE_68001439 - For user
S_BCE_68001429 - Transactions for User

If your role is security Admin then you should have atleast
following access.Just check with that.

Moreover,If you have access to SE16 you can get the report
easily for that you need to which table holds which data.
Say you need to know what all tcodes are there in
particular role:
You can see the table: AGR_TCODES.

Regards,
Subal

Question { 7213 }

i haven taken training on sap basis... right now i m looking
for job .what we are doing in trace (st01)explain in detailed.

Answer

Hi ,

this is Subal from Accenture.
ST01 is mainly used to trace user's authorization access.
When we can not make out [by use of SU53]what is missing
for a particular user that he can not access certain things.
We use ST01 to trace the user's action and thereby find out
missing authorizations.

Steps:St01
check authorization check
click on general filter and give user whose trace you want
click on Trace On
save the setting.
---------------------------
Now ask the user to perform the task he was doing --and
complained for missing access.
after his complation
----------------------
Come to st01 again
click on trace off [this is very important to turn it off]
click on analysis button -->give the from date&time and to
date&time accurately.
execute
you will get detailed description of users action with
missing auth [that come with rc >0]

------------------------
note those auth obj and field for which user had issue.
find role and assign the user to give needed access.
--------------------------------
I think this is detailed enough.....

Regards,
SUBAL

Question { 47097 }

What is fire fighter ? When we are using fire fighter?

Answer

Fire Fighter is used if you have implemented Virsa/GRC

Fire fighter is also a nomal user ID but having some
specific access [Say Su01 or SAP_ALL]as per the needs.
User type is kept as "service user'

when it is used:
Say, in your project you are security administrator who
does not have access to direct SU01 but you needs the
access urgently.
then FFID owner/administrator assigns you a FFID for
limited period so that you can perform the task from your
login ID and pwd,using tcode /n/virsa/vfat and login with
that FFID.
while loging you will be prompted to give business reason
for access.

everything you perform in that period [Using FFID]gets
recorded for auditing.

Regards,
Subal

Question { 10338 }

1.How do I assign roles to a specific group, not to a
specific user, and apply the roles to all users in that
group? This particular group has four users.?

Answer

Did you mean User group [SUGR]?
if yes then you can not assign roles to user group.

But you can easily assign the roles to users filtered by
the group by using SU10 fullfilling your goal of assigning
roles to 4 users.

Regards,
Subal
9246275973

Question { iGate, 16027 }

a user says he couldn't login.his account isn't locked,not
expired,no network issues.what will you do?

Answer

Hi,

Check if the server is Up or not.
If Up then see if the user is using right password.
If down then make the system up first then login.

Regards,
Subal

Question { iGate, 4922 }

how do you register developers?

Answer

Hi,
This is Subal from Accenture.

Goto service.sap.com [service marketplace]
you need to have S-user id and valid password to enter.
-----------------------
click on Keys & Request-->
click on SSCR keys
in box service corner --> click on "register developer"
enter the sap user ID [Id of developer]
choose installation No
click on register
it will generate developer access key for that particular
user.
-----------------------------

Regards,
Subal

Question { iGate, 10476 }

This is in continuataion to the previous question.
a user is assigned with tcode SA38.how to restrict him to
execute only a few reports,say rsusr003.If you're going to
modify the role(having sa38) assigned to the user,that will
affect other users also because that role might be assigned
to multiple users.I don' want that to happen.so what is the
solution?

Answer

Hi,

In that case you need to create a new role for such users.
Remove the SA38 role.
Create a new role with the required reports and assign the
role to the user.

Thus user will loose access to SA38 and get direct access
to required reports eg rsusr003.

Regards,
Subal

Question { IBM, 27707 }

what is use of su10 and how to use this T-code can any one
tell me your knowledge thanks in advance

Answer

This is user maintenance tcode where we can maintain users
massively whereas in su01 we can maintain one user at a
time.
Su10 is use to lock/unlock/change/delete users massively in
SAP system.
This is very use full when you need to assign 10 roles set
to say 10 users.

Regards,
Subal