Chris

I cant understand this... when a user is deleted from the system then how can he access the the system..

Try to execute the report RSUSR200 you will find the last logon of the user and that will confirm you the date and time he last used the system.

Regards

Rakesh

Hi Chris,

I think the answer lies in USH02.

Look closely at USH02 for the deleted user, there will be an entry of the last logged in date, including the last time.

In the last date entry, check for user with entry to tcode: KRNL and Program: SAPMSYST. That time stamp is the entry of the last login of the user. SAP writes this entry form USR02 to USH02 before it deletes the record for the user. USR02 will no longer have an entry, hence SUIM will not give anything against it.

USH04 will give you when was the user deleted.

Hope this helps

Cheers

Abhishek

Off to home

Hi Rakesh,

Report RSUSR200 reads from USR02, which only pertains to active users.

>

> I found KRNL Tcode and SAPMSYST program against a user who was deleted on say 01 feb 08 . 
> My question is wthr by checking KRNL tcode and SAPMSYST program against a user confirms that user was deleted on that date.?

USH02 does not tell you the date when the user was deleted. It only tells the last time the user logged in the system.

USH04 will tell when was the user deleted. Since a user cannot login to the system once deleted, USH04 timestamp will be greater than USH02. i.e. the user was deleted after the last login.

Hope this clarifies

Thank you

Abhishek

Thanks Abhishek

Hi Chris,

Yeap! You are right, it does appear to me that this is the time the last password was changed. My apologies to you both and THANK YOU Chris for correcting me. Wish I could give you points.

However, it did strike to me that this can actually be dug up using transaction STAD which is specifically for this. In STAD you can also get what transactions were run during the last logon. The last login is when SESSION_MANAGER was run. All activities can also be found.

Chris, try tcode STAD. The only problem is max read time is only 24 hours for this. So if you have a period in mind, this would work great.

Tcode STAD-> give a start date> start time: 00:00:00>read time: 24:00:00

Let me know how it goes.

Thank you

Abhishek

Hi, I read the thread. But I think STAD gives only LAST 24 hours details, not earlier than that.

Yes Chris you are right..

KRNL is for password change and SAPMSYST program is to disable the dialog logon and because the SAPMSYST progam is edited and the user no longer is able to logon into the system.(hence you can say that the user no longer has the access to system)

Correct me if i am wrong.

Thanks

Rakesh.

Hi Julius,

Thanks for that

Our systems do not have the audit log enabled. So is STAD the only way out? Or do you think there is an alternative?

Thank you

Abhishek

Hi Abhishek,

The usefullness of STAD / STAT / ST03N is not to be underestimated, but it's usefullness for auditing is purely co-incidental and not reliable. They rename, aggregate and ignore some of the data, particularly after a period of about a day, after which time only the collected statistics (configurable in ST03(N)) remain.

You could try to put logon information together again from that, but you would be wasting your time (in my opinion). You will never find the last one...

SM20 is the correct tool to use. If you need to run it for all users on all servers to get the information for deleted users, you can always recreate the user from the address data.

Cheers,

Julius

You are most likely missing authorizations to read the log... S_ADMI_FCD = AUDD

(see SAP notes 1140703, 1118397 and 766771).

Cheers,

Julius

Hi Julius,

Thanks for this info

Will work this approach.

Regards

Abhishek