Thursday, 10 October 2013

What is the difference between USOBX_C and USOBT_C?

What is the difference between USOBX_C and USOBT_C?

The table USOBX_C defines which authorization checks are to be performed within a transaction and which not (despite authority-check command programmed ). This table also determines which authorization checks are maintained in the Profile Generator.

The table USOBT_C defines for each transaction and for each authorization object which default values an authorization created from the authorization object should have in the Profile Generator. 

What authorization are required to create and maintain user master records?

What authorization are required to create and maintain user master records?

     What authorization are required to create and maintain user master records? 

The following authorization objects are required to create and maintain user master records:

S_USER_GRP: User Master Maintenance: Assign user groups
S_USER_PRO: User Master Maintenance: Assign authorization profile

S_USER_AUT: User Master Maintenance: Create and maintain authorizations

User Buffer

                                                          User Buffer

When a user logs on to the SAP R/3 System, a user buffer is built containing all authorizations for that user. Each user has their own individual user buffer. For example, if user Smith logs on to the system, his user buffer contains all authorizations of role USER_SMITH_ROLE. The user buffer can be displayed in transaction SU56.

A user would fail an authorization check if:

The authorization object does not exist in the user buffer
The values checked by the application are not assigned to the authorization object in the user buffer
The user buffer contains too many entries and has overflowed. The number of entries in the user buffer can be controlled using the system profile parameter auth/auth_number_in_userbuffer.

SAP GRC Access Control: Configuring compliant user provisioning (formerly Virsa Access Enforcer) into CUA Systems

SAP GRC Access Control: Configuring compliant user provisioning (formerly Virsa Access Enforcer) into CUA Systems


Introduction

It is recommended for organizations with complex SAP landscape consisting of many SAP systems to use the Central User Administration (CUA) for user administration tasks. Use of CUA enables security admins to maintain user master records centrally from one system. Even though Access Enforcer provides an ability to perform user provisioning centrally from one place into multiple SAP systems, by no means Access Enforcer has the ability to replace CUA. Access Enforcer mainly deals with compliant automated provisioning. This article describes how to properly configure Access Enforcer to work with CUA. Some troubleshooting steps while using the CUA provisioning from AE are also discussed.

Procedure for Configuring CUA 

        a. Configure Connectors in AE :

1. It is very important to note that connector names in Access Enforcer should be exactly the same as the logical system names defined in CUA master and child systems. The screen shot below displays the logical system names of the CUA master system and one child system.