This blog contains experience gained over the years of implementing (and de-implementing) large scale IT applications/software.

Category: Security

Values for SAP Auth Objects F_REGU_BUK and F_REGU_KOA

Whilst configuring some new read-only SAP roles for FICO access, you may be struggling to find the descriptions for the actions for authorisation objects F_REGU_BUK and F_REGU_KOA and the values for FBTCH (Action for Automatic Procedure).
The descriptions do not appear in the usual auth object display screens.

Within the SAP GUI, if you go into transaction F110, then from the menu select “Environment -> Authorizations”, a popup will be displayed with the following legend:

KeyAction
02Edit parameters
03Display parameters
11Execute proposal
12Edit proposal
13Display proposal
14Delete proposal
15Create payment medium proposal
21Execute payment run
23Display payment run
24Delete payment run payment dat
25Create payment media of paymen
26Delete payment orders of payme
31Print payment medium manually

For a read-only role, I would recommend only actions 03,13,23 and possibly 31 (in case the electronic BACS payment method breaks).

You may also be interested in:

All Reports & Transactions Under SUIM

The list below is useful if you are constructing a roll to house the SUIM capabilities:

Users by System S_BIE_59000198

Users by Roles S_BIE_59000199

Users by Profiles S_BIE_59000197

Users by Address Data S_BCE_68001393

Users by Complex Selection Criteria S_BCE_68001400

By user ID S_BCE_68001394

By Role S_BCE_68001399

By Profiles S_BCE_68001395

By Authorizations S_BCE_68001396

By Authorization Values S_BCE_68001397

By Transaction Authorizations S_BCE_68001398

By Critical Combinations of Authorizations at Transaction Start S_BCE_68001401

With Unsuccessful Logons S_BCE_68001402

By Logon Date and Password Change RSUSR200

List of Users With Critical Authorizations S_BCE_68001403

With Critical Authorizations (New Version) S_BCE_68002111

Roles by Complex Selection Criteria S_BCE_68001425

By Role Name S_BCE_68001418

By User Assignment S_BCE_68001419

By Transaction Assignment S_BCE_68001420

By MiniApp S_BIE_59000249

By Profile Assignment S_BCE_68001421

By Authorization Object S_BCE_68001422

By Authorization Values S_BCE_68001423

By Change Dates S_BCE_68001424

Profiles by Complex Selection Criteria S_BCE_68001409

By Profile Name or Text S_BCE_68001767

By Profiles Contained S_BCE_68001404

By Authorizations S_BCE_68001405

By Authorization Values S_BCE_68001406

By Last Change S_BCE_68001407

By Role S_BCE_68001408

Authorizations by Complex Selection Criteria S_BCE_68001417

By Object S_BCE_68001414

By Values S_BCE_68001415

By Last Change S_BCE_68001416

Authorization Objects by Complex Selection Criteria S_BCE_68001413

By Object Name, Text S_BCE_68001410

By Object Class S_BCE_68001411

By Field, Text S_BCE_68001412

Executable Transactions (All Selection Options) S_BCE_68001429

Executable for User S_BCE_68001426

Executable for Role S_BCE_68002041

Executable with Profile S_BCE_68001427

Executable with Authorization S_BCE_68001428

From users S_BCE_68001430

from Roles S_BCE_68001777

From profiles S_BCE_68001431

From authorizations S_BCE_68001432

In Users S_BCE_68001399

In Users S_BCE_68001395

In Roles S_BCE_68001421

In Composite Profiles S_BCE_68001404

In Users S_BCE_68001396

In Profiles S_BCE_68001405

In Users S_BCE_68001397

In Roles S_BCE_68001423

In Profiles S_BCE_68001406

In Authorizations S_BCE_68001415

In Programs S_BCE_68002030

For Users S_BCE_68001439

for Role Assignment RSSCD100_PFCG_USER

For Roles RSSCD100_PFCG

For Profiles S_BCE_68001440

For Authorizations S_BCE_68001441

SAP Authorisation Objects Naming Convention

The first letter of SAP authorisation objects is intelligently coded to represent the SAP module for which it belongs:
e.g. F_KNA1_BUK

A   Assets Accounting
C   Classification System
E   Consolidation
F   Financial Accounting
G   Special Ledger
K   Controlling
L   Logistic execution
M   Materials Management
P   Human Resources
S   Basis
V   Sales and Distribution

If the second character is an underline, then this indicates this authorisation object is a SAP standard one.

Use transaction SU03, SU21 or table TOBJ, to list the authorisation objects in the system and drill-down into the authorisation fields and their possible values.

If using the tables, you may need the other related tables to pull the texts: TOBJ, TOBC (classes), TOBJT.

SAP Users With Roles Not Assigned via Composite Roles

Have you ever needed to list SAP roles that are assigned to user accounts, but show only the single roles that are directly assigned (not single roles inherited through composite roles)?

Here’s how you can do it:
Using SE16, get the records from AGR_USERS table with field COL_FLAG=’ ‘

Relate this to USR02 table BNAME field to decide if the user account is locked (valid) or not in use anymore.

I’ve also discovered this can be done in transaction S_BCE_68001394 (Users by User ID).  You just input * into the user ID field, execute the report and then sort the two columns for “Direct Assignment” and “Role Type”.  This will give you the Single roles assigned directly.

GRANT or REVOKE on User in DB Link Connection

If you GRANT additional privileges to an Oracle user who is used in a DB Link connection (from another database), then if the DB Link is already open and in use (the target DB has ACTIVE or INACTIVE sessions), you will need to close the DB link connection before you see the new privileges.
The same is true if you grant a new role to the user.

However, if you REVOKE privileges from an Oracle user who is used in a DB Link connection then these changes are seen immediately the next time the user is used to perform an operation across the DB link.