Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to identify if a role is read or write in SAP R/3 ?

LuizCarvalho
Explorer

‎03-21-2024 3:52 PM

0 Kudos

Hello, 

Good day!

I have a questions regarding the SAP security.

I´m new in the world of Roles and Authoruizaions and I got a request to extract a report showing the module, scope and if the role is read/write.

Is that a program or a table that I can seek this kind of information ? My team is not the one that create the roles.

Best Regards,

Labels:
4 REPLIES 4

matt
Active Contributor

‎03-22-2024 8:48 AM

Check the activity? ACTVT is typically 01 for create, 02 for change and 03 for display.

But it's arbitrary - any field could be used, and any value, since it's mostly handled via an ABAP statement checking for a particular field/value.

LuizCarvalho
Explorer
In response to matt

‎03-22-2024 9:47 AM

0 Kudos

Hello Matt, 

Thank you for your input. I thought about that but I´m not able to search in SUIM in Roles by Complex  Selection criteria using the ACTVT as an authorization Object. I get the message below:

Object ACTVT does not exist

Message no. 01128

raymond_giuseppi
Active Contributor
In response to LuizCarvalho

‎03-22-2024 12:24 PM - edited ‎03-22-2024 3:37 PM

ACTVT isn't an authorization object , it's a, frequently used, authorization field

Look within SU21 on some authorization objects

raymond_giuseppi_0-1711104836728.png

raymond_giuseppi_0-1711110178503.png

SUIM can only filter in this activity for an explicit autorization object (every object doesn't contain it)

Roles - By Authorization Values

raymond_giuseppi_0-1711121823773.png

So

  • Did you already execute a SQL trace on PFCG or SUIM to get a list of relevant tables ?
  • Allowed values for activity are in table TACT (identify activity of "update" type)
  • Search forum to find thread such as To find all activities possible in a role 

jmodaal
Active Contributor

‎03-22-2024 1:22 PM

Hello,

in addition to the answer from @matt, viewing the table AGR_1251 might be useful for your needs (AGR_1251 contains the authorization values of roles). In SUIM you can search roles for a single field value only, so you have to execute a search for ACTVT 01, another one for ACTVT 02 and so on. In SE16 you can do this in a single task. 

Kind regards

Jan