5 Replies Latest reply on Aug 8, 2016 9:26 AM by Greg Capps

    Wildcards in security roles

    Mary Pick
    Visibility: Open to anyone



      IBM setup some of our roles for go live with wildcards for tcodes.  I am really new to security and need to find all the roles they used

      wildcards in.


      Is there a report I can run to find them?



        • 1. Re: Wildcards in security roles
          Gretchen Lindquist


          Welcome to ASUG! I Would encourage you to get some security training as soon as possible. The report you are looking for is on the Security Information System tree (SUIM). The report is S_BCE_68001423, Roles by Complex Selection Criteria.

          Try this query:


          5-9-2016 2-05-51 PM.png

          Good luck!


          • 2. Re: Wildcards in security roles
            Greg Capps

            Depending on how they performed the activity and the multiple meanings of * when you search you may prefer to review table AGR_1251 directly selecting a single value of *.  Too bad the SUIM reports do not allow the selection options like a table display.  Since you would do this in development, there should be no issues to identify the roles with direct table access.



            The selection will returns a list like this:


            If your consultants delivered poor quality, they should remediate this for free as using * for S_TCODE has never been best practice for production roles.

            • 3. Re: Wildcards in security roles
              Mary Pick

              Hi Greg,


              Is there any way to see what the users did when they had the wide open roles?  Internal auditor wants to see what tcodes they were accessing each day.


              Thank you for your help. 


              • 4. Re: Wildcards in security roles
                Mary Pick

                Thanks Gretchen,


                We are looking into more training.  It was just hard to do much before go live with a full 65+ hour week in the old job role and trying to take on a full time new role job with no backup for me.


                Thanks for your help.



                • 5. Re: Wildcards in security roles
                  Greg Capps

                  I should have responded sooner but not sure if you got your answer.  Yes, there are multiple ways to determine what transactions were executed and it depends on your system settings and environment.  Depending on your system settings, the system statistics track all transaction activity.  In the statistics this data is summarized into a monthly bucket so the number of times a transaction was executed and by whom is tracked per month.  If you also have GRC Access Control, these statistics can be pulled in detail into GRCACTUSAGE table.  This is a full audit trail with every execution with time stamps by user.  If you do not have GRC, your BASIS team should be able to show you how ST03N works.