...
Once in the Role authorizations filter, select the “New Entries” button. Then place the string value for the batch job name role and authorization object details that you would like to collect the data for. Please note that wildcards are accepted.
...
Role - This is the role name for which the authorization object will be extracted for. If you would like the specific authorization object to be extracted for all roles input a wildcard. Otherwise, specify the roles for which you would like the authorization objects to be extracted for.
Object - This is the authorization object for which the data will be extracted. If you would like all authorization objects to be extracted input a wildcard. Otherwise, specify the authorization objects you would like to extract.
Authorization - This is the authorization name associated with the authorization configuration. If you would like all authorization names to be extracted input a wildcard. Otherwise, specify the individual authorization names you would like to extract.
Field name - This is the field name associated with an authorization. For example, a t-code is noted as TCD in AGR_1251.
Sequence - This field is used to make a unique entry into the table if the key fields of Role, Object, Authorization, and Field are identical. This is a numeric field, so if there are identical entries based on the field value combination previously stated, enter a unique sequence number as seen above.
INCL/EXCL - This is an include/exclude flag. Otherwise, use an I to include the objects. If you want to exclude certain objects from being selected input an E
Option - There are two field values which can be entered into this field:
CP – Is used to find all permissions, which includes defined value. So if you defined FLT_LOW=SM18, then it could find LOW=*
EQ – Is used for exact match. For instance if you would like to find permissions where LOW=SM18, and do not need those which have ‘*’. Or even if you need to find all ‘*’ permissions.
Value - These fields are used to define the range of objects that should be extracted. If you would like to extract all transactions between AL08 and SU01 alphabetically, you would input AL08 in the first value field and SU01 in the second value field.
Active - Select this box to enable the configuration. If you would like to disable the configuration uncheck the box.
...
Splunk Event
The event will look like this in Splunk:
...
SAP Navigation
Navigate to this data by using the SE16 t-code and entering the value of AGR_1251 in the Table Name field. Hit the “Enter” key on your keyboard to proceed.
...
The data will then be displayed, which will match the values in Splunk.
...
Field Mapping
The field mapping between the data from SAP and values in Splunk can be seen in the table below:
...
Group Definition/EVENT_TYPE
...
EVENT_SUBTYPE (if applicable)
...
SAP Field Name
...
Splunk Field Name
...
ROLE_AUTH
...
Role Name
...
AGR_NAME
...
ROLE_AUTH
...
Role name description
...
AGR_TEXT
...
ROLE_AUTH
...
Authorization name in user master maintenance
...
AUTH
...
ROLE_AUTH
...
ID whether object is copied
...
COPIED
...
ROLE_AUTH
...
Menu ID for BIW
...
COUNTER
...
ROLE_AUTH
...
N/A
...
CURRENT_TIMESTAMP
...
ROLE_AUTH
...
ID whether object is deleted
...
DELETED
...
ROLE_AUTH
...
N/A
...
EVENT_SUBTYPE
...
ROLE_AUTH
...
N/A
...
EVENT_TYPE
...
ROLE_AUTH
...
Field name of an authorization
...
FIELD
...
ROLE_AUTH
...
Filter value defined in the Metric Filters above
...
FLT_HIGH
...
ROLE_AUTH
...
Filter value defined in the Metric Filters above
...
FLT_LOW
...
ROLE_AUTH
...
Authorization value
...
HIGH
...
ROLE_AUTH
...
Authorization value
...
LOW
...
ROLE_AUTH
...
Client ID
...
MANDT
...
ROLE_AUTH
...
Object status
...
MODIFIED
...
ROLE_AUTH
...
ID whether object is new
...
NEU
...
ROLE_AUTH
...
Internal: Node ID
...
NODE
...
ROLE_AUTH
...
Auth. Object in User Master Maintenance
...
OBJECT
...
ROLE_AUTH
...
N/A
...
UTCDIFF
...
ROLE_AUTH
...
N/A
...
UTCSIGN
...
ROLE_AUTH
...
Variants for Profile Generator
...
VARIANT