Q. How to find out all roles with T-code SU01?
A. You can use SUIM > Roles by complex criteria or RSUSR070 to find out this.
Go to the Selection by Authorization Value.
In Object 1 put S_TCODE and hit enter.
And put SU01 in Transaction code and hit execute (clock with check) button.
I use authorization object, as you can use this to test any object.
You can also get this information directly from table, if you have access to SE16 or SE16N. Execute SE16N
Table AGR_1251
Object S_TCODE
VALUE (low) SU01
Q. How to find out all the users who got SU01 ?
A. You can use SUIM >User by complex criteria or (RSUSR002) to find this out.
Go to the Selection by Authorization Value.
In Object 1 put S_TCODE and hit enter.
And put SU01 in Transaction code and hit execute (clock with check) button.
I use authorization object, as you can use this to test any object.
Q. How to find out all the roles for one composite role or a selection of composite roles?
A. Execute SE16N
Table AGR_AGRS
Composite roles You can put multiple composite roles using the more button
Q. How to find out all the derived roles for one or more Master (Parent) roles?
A. Execute SE16N
Table AGR_DEFINE
Use either agr_name field or Parent_agr field.
Q. How can I check all the Organization value for any role?
A. Execute SE16N
Table AGR_1252
Role Type in the role here and hit execute.
You can always download all the information to spreadsheet also using  .
Q. How do I restrict access to files through AL11?
A. First create an alias. Go to t-code AL11 > configure > create alias.
Let say we are trying to restrict alias DIR_TEMP which is /tmp.
Open PFCG and assign t-code AL11, and change the authorization for S_DATASET as mentioned below
Activity 33
Physical file name /tmp/*
Program Name with Search Help *
Q. How can I add one role to many users?
A. SU10. If you have less than 16 users then you can paste the userids.
If you have more than 16 users – Click on Authorization data and click on  next to users and upload from clipboard  .
Hit the change button and go to the role tab and add the roles to be assigned and hit save.
Q. What are the Best practices for locking expired users?
A. Lock the user. Remove all the roles and profiles assigned to the user. Move them to TERM User group.
Q. How can be the password rules enforced ?
A. Password rules can be enforced using profile parameter. Follow the link to learn more about the profile parameter.
Q. How to remove duplicate roles with different start and end date from user master?
A. You can use PRGN_COMPRESS_TIMES to do this. Please refer to note 865841 for more info.
Q. How come the users have authorization in PFCG, but user still complains with no authorization?
A. Make sure the user master is compared. May be the there is a user buffer overflow
Also check the profile- Follow the instruction below.
SUIM > User by complex criteria.
Put the userid of user who is having issue.
Execute
Double click on the user id and expand the tree. Select the profile in question and see if the authorization is correct or not. If not do the role reorg in PFCG and see if that helps.
Q. How can I have a display all roles.
A. Copy sap_all and open the role and change the activity to 03 and 08
Q. How can I find out all actvt in sap?
A. All possible activities (ACTVT) are stored in table TACT (transaction SM30), and also the valid activities for each authorization object can be found in table TACTZ (transaction SE16).
Q. How to find all the users who got access to change and create users?
A. Click here
PreviousPage NextPage
| 
