Store Customizing (ABAP)
Store Customizing can be used for activating and custom-tailored filtering of pre-configured config stores. The feature is currently available for all ABAP systems.
Store Customizing can be used for activating and custom-tailored filtering of pre-configured config stores. The feature is currently available for all ABAP systems.
Store Customizing is a well-known feature from SAP Solution Manager Configuration Validation, that has been rebuilt in SAP Focused Run. It addresses the need to collect user and authorization data for various aspects that play an important role in security and compliance validations. Due to the large amount of data that can be associated with roles and authorizations, we recommend to limit data collection as much as needed for specific purpose. While this is likely already a requirement from GDPR legislation perspective, it is also recommended for optimal performance and for capacity, sizing and license considerations.
Below you find a list of customizing types that are available with store customizing (Each item is listed with "Name" and "TECHNICAL NAME"): Each customizing type corresponds to an own extractor and config store. Data collection for the customizing types is independent from each other and may include partially redundant data.
In this section you find a list of customizing types that are available with store customizing (Each item is listed with "Name" and "TECHNICAL NAME"): Each customizing type corresponds to an own extractor and config store. Data collection for the customizing types is independent from each other and may include partially redundant data.
Enter
Role names or role name patterns with * as wildcard
Roles that have ACTVT 08 or 09 assigned are collected.
Background: "Roles made for 3rd users must not contain ACTVT 08 o r 09"
Enter Profiles e.g.
SAP_ALL
SAP_NEW
S_TCD_ALL
Collects users having a specific authorization profile(s) assigned.
Enter
Role names or role name patterns with * as wildcard
collects roles with authorizations regarding the object P_ABAP.
Enter
Role names or role name patterns with * as wildcard
This customizing selects role <pattern*> with a display authorization (ACTVT 03) authorization.
Optional it is possible to add the another ACTVT e.g. 16 and collect the roles starting with ZSAP
Parameter Value
ACTVT 03,16
ROLE0001 ZSAP*
Role names or role name patterns or role name pattern
of roles having
INFTY
Object Fieldname From
P_PERNR INFTY *
or
Y_ORIGIN INFTY *
or
PLOG INFTY *
Enter Check ID (character field length 30), Role Pattern and User Pattern
Collects roles of a user pattern or all users of a role pattern .
It is also possible and recommended to get the the number of users instead of the user IDs provided that fit to a user pattern:
'User pattern':
A dedicated user or a user pattern can be used here.
For counting the number of users enter <COUNT *>
e.g. number of users starting with an C assigned to roles starting with ZSAP
Check ID Role Pattern User Pattern
ZSAP_ROLE_USER ZSAP* <COUNT C*>
Collects roles according the authorizations defined in customizing.
The 'Combination ID' represents one authorization check and is used as result key in the content structure of the Config Store. The boolean result of the 'Combination ID' is the logical 'AND' combination of its 'Authorization IDs'. In the most cases it is not required to use more than one 'Authorization ID'.
The boolean result of an 'Authorization ID' is the logical 'AND' combination of its 'Groups'.
Each 'Group' is either an 'AND' or an 'OR' group. This is defined by the setting in the column 'AND/OR'. Within an 'AND Group' all equal 'Objects' are treated as one and combined together to the other 'Groups' of the 'Authorization ID'. In contrary to this, each record of an 'OR Group' is combined on its own to the other 'Groups' of the 'Authorization ID'.
The following example defines to collect roles that do have authorization for all rfc destinations and transaction SM59. As different Authorization IDs are used the authorizations might be provided by different profiles.
| Combination ID | Authorization ID | Group | Object | Field Name | From | To | AND/OR |
| ADMIN_RFC | SRFCADM | DEST | S_RFC_ADM | RFCDEST | #* | AND | |
| ADMIN_RFC | SRFCADM | TYPE | S_RFC_ADM | RFCTYPE | #* | AND | |
| ADMIN_RFC | STCODE | TCD | S_TCODE |
TCD | SM59 | AND |
The technical names of the columns are
| COMB_ID | AUTH_ID | AUTH_GROUP | OBJECT | FIELD | LOW | HIGH | SEARCHTYPE |
Enter a short text as Parameter and role pattern as Value, e.g.
Parameter Value
ROLE0001 ZSAP*
Collect roles which have got individual organization element (LOW field content $% of table AGR_1251)
Enter a short text as Parameter and role pattern as Value, e.g.
Parameter Value
ROLE0001 ZSAP*
Collect roles and its VARBL which have got generic organization element (LOW field content * of table AGR_1252)
Enter a short text as Parameter and role pattern as Value, e.g.
Parameter Value
ROLE0001 ZSAP*
Collects roles with names starting with ZSAP
Enter a short text as Parameter and role pattern as Value, e.g.
Parameter Value
ROLE0001 ZSAP*
Collects roles with names according customizing that provide authorization to display the content of tables checking
S_TABU_DIS
DICBERCLS PC, PS, PCDS
ACTVT *
Enter a short text as Parameter and role pattern as Value, e.g.
Parameter Value
ROLE000001 ZSAP*
Collects roles with names according customizing that provide authorization to display the content of tables checking
S_TCODE
TCD SE*
Optional: Add to customizing transactions like SE03 or SE80
LOW0000001 SE80
LOW0000002 SE03
This male the collector to collect roles having S_TCODE TCD SE80 or SE03
Enter the name of a table or pattern as Table Name e.g.
Table Name
USR*
Delivers the assigned authorization classes (CCLASS of table TDDAT) of customizing table patterns, e.g. of the tables starting with USR
Enter the name of a transaction as Transaction Code e.g.
Transaction Code
PFCG
Delivers the users having authorization for the transaction defined customizing,
e.g. User having authorization for PFCG
(S_TCODE TCD = PFCG)
Collects users according the authorizations defined in customizing.
The 'Combination ID' represents one authorization check and is used as result key in the content structure of the Config Store. The boolean result of the 'Combination ID' is the logical 'AND' combination of its 'Authorization IDs'. In the most cases it is not required to use more than one 'Authorization ID'.
The boolean result of an 'Authorization ID' is the logical 'AND' combination of its 'Groups'.
Each 'Group' is either an 'AND' or an 'OR' group. This is defined by the setting in the column 'AND/OR'. Within an 'AND Group' all equal 'Objects' are treated as one and combined together to the other 'Groups' of the 'Authorization ID'. In contrary to this, each record of an 'OR Group' is combined on its own to the other 'Groups' of the 'Authorization ID'.
The following example defines to collect users that do have authorization for all rfc destinations and transaction SM59. As different Authorization IDs are used the authorizations might be provided by different profiles.
| Combination ID | Authorization ID | Group | Object | Field Name | From | To | AND/OR |
| ADMIN_RFC | SRFCADM | DEST | S_RFC_ADM | RFCDEST | #* | AND | |
| ADMIN_RFC | SRFCADM | TYPE | S_RFC_ADM | RFCTYPE | #* | AND | |
| ADMIN_RFC | STCODE | TCD | S_TCODE |
TCD | SM59 | AND |
The technical names of the columns are:
| COMB_ID | AUTH_ID | AUTH_GROUP | OBJECT | FIELD | LOW | HIGH | SEARCHTYPE |
Enter Check ID (character field length 30), User Pattern and User Type, e.g.
Check ID User Name User Type
BASISUSER *BC* DIALOG
Collects user by pattern and user type specified in the customizing.
To setup an extractor with Store Customizing the following steps need to be performed:
| No | Step | Description |
|---|---|---|
| 1 | Run Administration and then Template Configuration | get a list of defined templates |
| 2 | Perform Store Customizing | Create a customizing and define the patterns for the collected data in the Template Configuration of CSA Template Management. The Id (Custumizing_ID) is needed to define a store template |
| 3 | In Template Management Create Store Collector Item (SCI) | Press + (Add) Create a new item. Confirm to use the wizard. Select the Template Type and enter the Required Parameters including the Custumizing_ID. Confirm. An Collector Item (i.e. an XML definition) in CSA Template Management is added. |
| 4 | Configure Extractor Items | The CSA collector frame configures new collector items automatically within 1 hour. The configurations can also be started manually in the CSA Administration by the button ‘Setup' or by re-performing the Managed System Setup. |
| 5 | Validate Extractor Setup | Check the collector status in CSA Administration for errors and warnings. |