How to view recently used transactions by users

There are various ways to do that, two of the quickest ones are
1) Turn the audit log on by using SM19 and SM20 and analyze the audit logs.Put filters while setting up these logs so that you can see the specific data.

2) In ST03N / ST03, you can analyze the transactions run by users by selecting the “User Profile” under the “Analysis Views” section.

Note: ST03N keeps limited data

You can use STAD too, more on that later…

SAP System Administration: Authorization Concepts

Access control in SAP is composed of several concepts:

Program code that calls an authorization check using the authority-check statement. This will look something like:
authority-check object id field

Authorization fields (corresponding to the in the above code) that define a scope of possible values. Examples of authorization fields would be:

ACTIVITY: defines the type of activity the user is doing with the data. Possible values are
‘DISPLAY’, ‘MODIFY’, ‘DELETE’, etc.

COMPANY_CODE: possible values are any single value, or any range of values, or any combination thereof (such as ‘0438’ and ‘0600’ thru ‘1100’)

Authorization objects that define a group of fields. For example, an authorization object called ‘CO_MDATA’, containing our above fields ACTIVITY and COMPANY_CODE, might used to control access to the company master data tables.

Authorizations, each of which belong to exactly one authorization object, that define authorization values (within the scopes defined by the authorization objects) to be granted to users. Note that an authorization is different from an authorization object!! Extending our previous examples, we might have an authorization, belonging to the authorization object ‘CO_MDATA’, called ‘CO_MDATA_ALL’, that grants all access to all company master data. Then ‘CO_MDATA_ALL’ would have the following values:

FIELD VALUE
ACTIVITY *
COMPANY_CODE *

Profiles, each of which may contain several authorizations or profiles. A simple profile contains a group of authorizations. A composite profile contains a group of profiles (simple or composite). [Profiles can be conceptualized as forming the structure of a tree, in which end nodes (leaves) are authorizations, and all other nodes are profiles. Simple profiles are nodes whose children are all end nodes, and composite profiles are nodes, other than end nodes, who have no end nodes for children.]

Profiles are designed to define set or one or more functions or positions. For example, a functional profile might define all the authorizations that are required for doing a goods receipt, or for making a payment in the AP module. A position profile, on the other hand, might define all of the authorizations that are granted to an accountant, or to a warehouse supervisor. Often, a position profile is a composite profile consisting of several functional profiles.
Users, to whom profiles are assigned. A user is assigned one or more profiles by the system administrator. These profiles define all of the user’s system authorizations. It sounds complicated, but once you start working with authorizations, it’s pretty easy.

SAP System Administration: Authorization Concepts

Access control in SAP is composed of several concepts:

Program code that calls an authorization check using the authority-check statement. This will look something like:
authority-check object id field

Authorization fields (corresponding to the in the above code) that define a scope of possible values. Examples of authorization fields would be:

ACTIVITY: defines the type of activity the user is doing with the data. Possible values are
‘DISPLAY’, ‘MODIFY’, ‘DELETE’, etc.

COMPANY_CODE: possible values are any single value, or any range of values, or any combination thereof (such as ‘0438’ and ‘0600’ thru ‘1100’)

Authorization objects that define a group of fields. For example, an authorization object called ‘CO_MDATA’, containing our above fields ACTIVITY and COMPANY_CODE, might used to control access to the company master data tables.

Authorizations, each of which belong to exactly one authorization object, that define authorization values (within the scopes defined by the authorization objects) to be granted to users. Note that an authorization is different from an authorization object!! Extending our previous examples, we might have an authorization, belonging to the authorization object ‘CO_MDATA’, called ‘CO_MDATA_ALL’, that grants all access to all company master data. Then ‘CO_MDATA_ALL’ would have the following values:

FIELD VALUE
ACTIVITY *
COMPANY_CODE *

Profiles, each of which may contain several authorizations or profiles. A simple profile contains a group of authorizations. A composite profile contains a group of profiles (simple or composite). [Profiles can be conceptualized as forming the structure of a tree, in which end nodes (leaves) are authorizations, and all other nodes are profiles. Simple profiles are nodes whose children are all end nodes, and composite profiles are nodes, other than end nodes, who have no end nodes for children.]

Profiles are designed to define set or one or more functions or positions. For example, a functional profile might define all the authorizations that are required for doing a goods receipt, or for making a payment in the AP module. A position profile, on the other hand, might define all of the authorizations that are granted to an accountant, or to a warehouse supervisor. Often, a position profile is a composite profile consisting of several functional profiles.
Users, to whom profiles are assigned. A user is assigned one or more profiles by the system administrator. These profiles define all of the user’s system authorizations. It sounds complicated, but once you start working with authorizations, it’s pretty easy.

SAP Derived Roles

As the name indications are derived from already existing roles.
There are two scenarios when we derive roles.

* The role menus are identical but the authorizations for the menu actions are different in the derived role.
* The menu and authorizations of the derived role are identical, but the organizational levels are different in the derived role.

The derived roles inherit the menu structure and functions (including transactions etc…) of the referred role.

The default authorization values of the derived role are that of the inherited role. The organizational values are to be maintained in the derived role.
The organization level data is only copied the first time the authorization data is adjusted for the derived role. If organization level data is maintained in the derived role, it is not overwritten by subsequent adjustments.

Roles derived from another cannot have any additional menu entries. The menu is maintained in the referred role which take effect immediately in all derived roles.

To change the menu of the derived role without changing the menu of referred role you have to break the inheritance relationship. Once the relationship breaks, the derived role is dealt as a normal role and the inheritance relation ship cannot be re established

SAP Composite Roles

Composite Roles :
Suppose there is position in your organization in which activites of two positions need to be performs the roles is called composite role.
Take an example. There are two positions like a clerk and auditor. If there is a position in your organization where the individual has to act both as a clerk and an auditor the the role is a composite roles which needs him/her to work both as a clerk and auditor. This is quite common scenario in organizations or companies.
A composite role has many single roles. No authorization data can be maintained in a composite role.  You can eneter some menu entries like links to websites, reports only. Tcodes cannot be added. The authorization data has to be maintained only in the single roles.
When you attach a composite roles to an user all the single roles gets attached to him. In the change documents it shows the single profiles that belongs to single roles gets attached to them. Suppose a composite role has 3 single roles. when you attach this composite role to a user then 3 authorizations profiles will get attached to him. The change count  in SUIM will be 3.

What is a authorization Role in SAP?

Role is the way how authorizations are granted in SAP or the activities which are performed by and individual are restricted. A role consists of all the duties performed by an individual in the organization. For e.g., the clerk or the manager or buyer or dispatcher etc.. Two managers of same cader has same type of duties. Technically a roles contains all the items(transactions or tcodes, reports, links) which are needed by an individual in particular position. In a  roles-based authorization system the lattice structure of organization is well defined and the activities performed by each individual is defined clearly. In a role-based authorization system the users are assigned to generiuc roles (technical)  which contains tcodes necessary for peforming the job. The above description is a single role.

There are three types of roles.

o Single roles
o Composite roles
o Derived roles

How to check if CUA is used in a System

You can quickly run transaction SU01 and see if the “Systems” tab is available. If it is then CUA has been configured. Well there is another way to see whether CUA is used. Run transaction code SCUA to see if there are any distribution models defined. Run transaction code SCUL to see to view logs that are generated by CUA & if you have logged into a child system, then goto transaction code SU01 and see, there will be no CREATE activity.

List of SAP Security Tables

USR* table contains user master information.
AGR* tables dontains data about roles.
USH* table has change documents information.
You can use SQVI or SE16 to get data from these tables.

Table Description
AGR_1016 Name of the activity group profile
AGR_1016B Name of the activity group profile
AGR_1250 Authorization data for the activity group
AGR_1251 Authorization data for the activity group
AGR_1252 Organizational elements for authorizations
AGR_AGRS Roles in Composite Roles
AGR_DEFINE Role definition
AGR_HIER2 Menu structure information – Customer vers
AGR_HIERT Role menu texts
AGR_OBJ Assignment of Menu Nodes to Role
AGR_PROF Profile name for role
AGR_TCDTXT Assignment of roles to Tcodes
AGR_TEXTS File Structure for Hierarchical Menu – Cus
AGR_TIME Time Stamp for Role: Including profile
AGR_USERS Assignment of roles to users
USER_ADDR Address Data for users
USGRP User groups
USGRPT Text table for USGRP
USH02 Change history for logon data
USOBT Relation transaction to authorization object (SAP)
USOBT_C Relation Transaction to Auth. Object (Customer)
USOBX Check table for table USOBT
USOBX_C Check Table for Table USOBT_C
USOBXFLAGS Temporary table for storing USOBX/T* chang
USR01 User Master Data (runtime data)
USR02 Logon data (password,user name, validity date etc..)
USR04 User master authorization (one row per user)
USR06 License data
USR10 Authorisation profiles (i.e. &_SAP_ALL)
USR11 Text for authorisation profiles
USR12 Authorisation values
USR13 Short text for authorisation
USR40 Table for illegal passwords ( never enter * in this table)
UST04 User profiles (multiple rows per user)
UST10C Composit profiles (i.e. profile has sub profile)

This is the vast list of USR,USH & AGR tables

Table name Description
AGRR2 R2 transfer structure
AGRR2T R2 roles transfer structure – Texts
AGR_1016 Name of the activity group profile
AGR_1016B Name of the activity group profile
AGR_1250 Authorization data for the activity group
AGR_1251 Authorization data for the activity group
AGR_1252 Organizational elements for authorizations
AGR_1253 Authorization Data for Activity Group – Static Objects
AGR_AGRS Roles in Composite Roles
AGR_AGRS2 Role definition
AGR_ATTS Role attributes
AGR_BOR_DTL Extended BOR Details for Menu Nodes
AGR_BUFFI Internet Links for a Role
AGR_BUFFI2 Internet links table – Customer version of SAP roles
AGR_BUFFI3 Internet links table – SAP versions of SAP roles
AGR_CATS Transfer structure for categories/PFCG start
AGR_CUSTOM Role Customizing objects
AGR_DATEU Personal settings for roles
AGR_DEFINE Role definition
AGR_EXT_DTL Extended Details for Menu Nodes
AGR_FAVOS Personal settings for PFCG
AGR_FILT Transfer table filter for PRGN_TREE_START
AGR_FLAGS Role attributes
AGR_FLAGSB Role attributes
AGR_HIER Table for Structure Information for Menu
AGR_HIER2 Menu structure information – Customer version of SAP roles
AGR_HIER3 Menu structure information – SAP version of SAP roles
AGR_HIERT Role menu texts
AGR_HIERT2 Role menu texts – Customer version of SAP objects
AGR_HIERT3 Role menu texts – SAP Original
AGR_HIER_BOR Table for Object-Oriented Navigation (OBN)
AGR_HPAGE Role Home Page
AGR_HPAGET Description of the Home Page for a Role
AGR_ICON Display the status icon in the Profile Generator
AGR_INFO Filter Values from Generation Run
AGR_LOGSYS Logical system
AGR_LSD Role attributes
AGR_MAP MiniApp and Text
AGR_MAPP MiniApps in Role
AGR_MAP_KNUMA Conversion Table AG_GUID CRM <> KNUMA
AGR_MARK Table for report SAPPROFC_NEW
AGR_MEM_INITIAL Agreements: Buffer for Intial Upload
AGR_MINI MiniApps in Role
AGR_MINI2 MiniApps in Role
AGR_MINIT Role mini-appl texts
AGR_MINIT2 Role mini-application texts
AGR_NSPCE Namespace
AGR_NUMBER Internal Counter for Assigning Profile Names
AGR_NUM_2 Internal Counter for Assigning Profile Names
AGR_OBJ Assignment of Menu Nodes to Role
AGR_POPUP Structure for dialog box
AGR_POPUP2 Structure for transaction assignment
AGR_POPUP3 Auxiliary structure to input authorization objects
AGR_PROF Profile name for role
AGR_REL_KNUMA_CM Assignment: Agreement –> Campaign
AGR_SELECT Assignment of roles to Tcodes
AGR_SHIER Structure for the Drag and Drop Tool
AGR_SHIERT Structure for the Drag and Drop Tool
AGR_SHIER_BOR Structure for Additional Details with no STRING Field
AGR_SMENU Transfer structure for role maintenance
AGR_SPRTXT Structure for the Drag and Drop Tool
AGR_START Start Role Maintenance: Structure for Tree
AGR_STRING Structure for the Drag and Drop Tool
AGR_STRUC Structure to transfer Tcodes into the Profile Generator
AGR_ST_NAME Role Name
AGR_TAB PFCG start tree transfer structure
AGR_TCDTXT Assignment of roles to Tcodes
AGR_TCODE3 Assignment of roles to Tcodes
AGR_TCODES Assignment of roles to Tcodes
AGR_TCODES_TEXTS Transaction Codes with Texts from AGRs
AGR_TEXTS File Structure for Hierarchical Menu – Customer
AGR_TIME Time Stamp for Role (Menu, Profile, Authorizations)
AGR_TIMEB Time Stamp for Role (Profile Generation)
AGR_TIMEC Time Stamp for Role (User Assignment)
AGR_TIMED Time Stamp for Role (Profile Comparison, RFC Distribution)
AGR_TRAN Transport modules of external personalization objects
AGR_TRANS Help Structure for Translation
AGR_TXT Role and Text
AGR_UPLO Stucture for upload node types
AGR_UPLT Stucture for upload node types
AGR_UPLTX Stucture for upload description text
AGR_USERS Assignment of roles to users
AGR_USERT Assignment of roles to users
USH02 Change history for logon data
USH02_ARC_TMP Change History for Logon Data: Last Entries from Archive
USH04 Change history for authorizations
USH04_ARC_TMP Authorizations Change History: Last Entries from Archive
USH10 Change history for authorization profiles
USH10_ARC_TMP Change History for Profile Data: Last Entries from Archive
USH12 Change history for authorization values
USH12_ARC_TMP Change History for Authorizations: Last Archive Entries
USR01 User master record (runtime data)
USR02 Logon Data (Kernel-Side Use)
USR03 User address data
USR04 User master authorizations
USR05 User Master Parameter ID
USR06 Additional Data per User
USR06SYS System-Specific User Classification (License-Related)
USR07 Object/values of last authorization check that failed
USR08 Table for user menu entries
USR09 Entries for user menus (work areas)
USR10 User master authorization profiles
USR11 User Master Texts for Profiles (USR10)
USR12 User Master Authorization Values
USR13 Short Texts for Authorizations
USR14 Surchargeable Language Versions per User
USR15 External User Name (Replaced By Table USRACL)
USR16 Values for Variables for User Authorizations
USR20 Date of last user master reorganization
USR21 Assign user name address key
USR21S Shadow table: Assignment of user name to address key
USR22 Logon data without kernel access
USR30 Additional Information for User Menu
USR40 Table for illegal passwords
USR41 User master: Additional data
USR41_MLD Transaction Data for USR41
USRACCNTV Generated Table for View USRACCNTV
USRACL SNC Access Control List (ACL): User
USRACLEXT Extended SNC Access Control List (ACL) for Users
USRARCSTAT Reloaded Archiving Runs
USRATTR Additional Attributes for Users
USRBF User Buffer Contents for Fast RFC Logon
USRBF2 User buffer content for fast RFC logon – new
USRBF3 User Buffer Content for Fast RFC Logon – New
USRCD Structure for Change Documents Display in RSUSR100
USRCDT Structure for Change Documents (Technical View)
USRCOBJ Object Filters for Exploding Product Structures
USRCOMB Critical Combinations of Authorizations
USRCOMBT Short Texts for Critical Combinations of Authorizations
USRCRCOMB Part List of Variants for Critical Combinations of Auths
USRDFLT User Settings Field/Value Combination
USRDFLT_KEY Key for User Settings
USRDFLT_PERS User Settings
USRDFLT_PERS_ALV User Settings – ALV Display
USREF Transfer structure for cross-reference function modules
USREFUS Reference user for internet applications
USREFUSVAR Assignment of Reference User Variabe to Reference User
USREL_2 User Administration: Relationship Between Two Objects
USREL_3 User Administration: Relationship Between Three Objects
USREL_AT User Administration: User in Relationship (with Time)
USREL_SA GUM: Assignment of Role/Position to System (Type)
USREL_UA GUM: Assignment of Role to User
USREL_US GUM: Assignment of User (Group) to System (Type)
USREL_USA User Administration: User – System – Activity Group
USREL_UT User Administration: User in Relationship (with Time)
USREL__A User Administration: System – Activity Group
USREL__S User Administration: System in Relationships
USREL__U User Administration: User in Relationship
USREXTID Assignment of External ID to Users
USREXTIDH External ID (Access Using Hash Value)
USREXTIDT Values Table for External ID Type
USREXTIDTT Values Table for External ID Type (Texts)
USRFIELD Central user maintenance: Field maintenance allowed or not
USRFLD CUA: Definition of Logical Fields
USRFLDDEF CUA: Definition of Logical Field Names of ALE Distrib. Users
USRFLDGRP CUA: Field Selection Groups
USRFLDSEL CUA: Field Attributes
USRFLDT CUA: Text Table to Define Logical Fields
USRFLDTSEL Selection of fields
USRFLDVAL CUA: Selection Criteria for Field Attributes
USRGENPRS Table for General Workplace Personalization Data
USRGETFTR Transfer Structure
USRGETSTRC Structure for user transfer
USRGIFAV iPPE Interface: Favorite
USRGIFOL iPPE Interface: Folder
USRGIPROFIL User Assignment to an iPPE Profile
USRGIPROFIL_DYNP Dialog Structure: User Assignment – iPPE Workbench
USRGIPROFIL_WTY Assign User Profile
USRGISETTINGS User Settings for the iPPE Workbench
USRGISTACK iPPE Workbench: Stack
USRINFO Extended User Info for SM04
USRINKONS Reference table for FMs for determining inconsistencies
USRLISTPROFILE Variable List Definition in PDM Environment
USRLUIPROFILE User Assignments to Profiles in the iPPE Workbench Express
USRLUIPROFILE_DYNP User Assignments to Profiles
USRLUISETTINGS User-Specific Settings of the iPPE Workbench Express
USRLUISETTINGS_DYNP User-Specific Settings for Profile
USRM0 Material Master User Settings: Screen Reference “User”
USRM1 Material Master User Settings: Organizational Levels
USRM2 User Settings for the Material Master: Logical Screens
USRM3 Material Master User Settings: Retail Organizational Levels
USRMETHOD Method to be called when distributing users
USRMM User settings: material master
USROBJECTS Table of Previous Initial Object in Structure Overview
USRPDM User-Specific Data in the PDM Environment
USRPWDHISTORY Password History
USRSETTINGS_DYNP User Settings: Navigation Tree – Dialog Structure
USRSTAMP Time Stamp for all Changes to the User
USRSYSACT CUA: Roles in Distributed Systems
USRSYSACTT CUA: Roles in Distributed Systems
USRSYSLNG User’s Language in a System
USRSYSPRF CUA: Profiles in Distributed Systems
USRSYSPRFT CUA: Profile Text in Distributed Systems
USRSYSUPL CUA: Price Lists in SAP System
USRSYSUPPL CUA: Assignment of User Types to Price Lists
USRSYSUTPA CUA: System Measurement: User Types with Attributes
USRSYSUTYP CUA: Texts for User Types in SAP System
USRSYSUZUS CUA: Texts for Special Versions
USRSYSVTYP Generated Table for View USRSYSVTYP
USRTICLASS Class Assignment for Tabular Maintenance of iPPE
USRTREECOL User-Specific Column Permutations per Array Type
USRURLPRS Table for Personalization of Services
USRURLSVR Logical Web Servers for Logical Systems (User-Specific)
USRVAR Variants for Critical Authorizations
USRVARCOM Variants of Critical Combinations of Authorizations
USRVARCOMT Short Texts for Variants of Critical Combs of Authorizations
USRVARID Part List of Variants for Critical Authorizations
USRVART Short Texts for Variants of Critical Authorizations
USRVIEWCOL User-Specific Column View
USRVIEWTAB User-specific Tabstrip View
USR_AUFK User-Defined Fields of AUFK
USR_FLAGS Various Flags for Authorization Programs
USR_FLGNT Personal User Settings / Without Transport
USR_LIST Generated Table for View USR_LIST
USR_QUERY BW Query
USR_TREESNODE Node Structure of a Simple Tree (Report SAPTREX3)
USR_VALUES Transfer structure for selection acc. to auth. values

Authorizations in SAP Transportation Management

The following table shows the authorization objects available in SAP TM.

Authorization Object Description
/SCMTMS/T8 Type of Customer Freight Invoice Request
/SCMTMS/EP Organizational Unit: Execution and Planning
/SCMTMS/T3 Type of Freight Order
/SCMTMS/T4 Type of Freight Request
/SCMTMS/MT Mode of Transportation
/SCMTMS/PY Party
/SCMTMS/PO Organizational Unit: Purchasing
/SCMTMS/SO Organizational Unit: Sales
/SCMTMS/T6 Type of Shipment Order
/SCMTMS/T1 Type of Shipment Request
/SCMTMS/T5 Type of Shipment
/SCMTMS/SU Supplier
/SCMTMS/T7 Type of Supplier Freight Invoice Request
/SCMTMS/G1 Transportation Allocation: Geographical Information
/SCMTMS/T2 Type of Transportation Booking Order
/SCMTMS/C4 Transportation Charges: Calculation Sheet
/SCMTMS/C2 Transportation Charges: Rate
/SCMTMS/C1 Transportation Charges: Scale
/SCMTMS/BO Business Object: Data Access
/SCMTMS/C3 Transportation Charges: Tariff
/SCMTMS/ID ID of a Business Object