USER_AUTH - User Authorizations
Data Description
The USER_AUTH event is used to give a visibility of sensitive user authorizations (based on predefined list + user-input) assigned to SAP users. At the moment extractor supports extraction from single client only.
Following information is collected:
list of users with sensitive roles (EVENT_SUBTYPE=”ROLE”)
list of users with sensitive profiles (EVENT_SUBTYPE=”PROF”)
list of users with sensitive authorizations (EVENT_SUBTYPE=”AUTH”)
list of users with access to sensitive transactions - S_TCODE authorization check (EVENT_SUBTYPE=”TCODE”)
Potential Use Cases
This event could be used in the following scenarios:
Search for users with sensitive authorizations, roles and profiles.
Metric Filters
Metric filter is available in Administrator->Metric Filters->User Authorizations menu option
There are four tabs with could be used to define sensitive authorizations: Roles, Profiles, Authorizations, Transactions.
Roles tab:
Accepts list of sensitive roles. The extractor will also automatically pull all inherited roles. Filter Group could be used to search for role combinations (search for users with few roles based on the same Filter Group field).
Profiles tab
Accepts list of sensitive profiles. The extractor will also automatically pull all combined profiles where indicated one is part of. Filter Group could be used to search for profile combinations (search for users with few profiles based on the same Filter Group field).
Authorizations tab
Accepts list of sensitive authorizations. Filter Group could be used to search for authorizations combinations (search for users with few authorizations based on the same Filter Group field). Auth group will be used to combine auth object field names during the search. ‘Match type’ field could accept following values: Exact match - search for exact value, Pattern match - try to match the pattern during the search (i.e. if you are looking for value SU01, an authorization with value ‘*' will be taken).
Transactions tab
Accepts list of sensitive transactions. Filter Group could be used to search for transactions combinations (search for users with access to few transactions based on the same Filter Group field).