Solved: Transporting Roles - Best Practices?

santiobejero · ‎07-22-2014

Dear All,

I have been practicing SAP Security for almost 4 years now. I want to know if you have any SAP-provided documents or SAP Notes which tells the proper and best way in transporting roles in ABAP based system. Common on what I am doing right now is based on what specific security change you are doing. I am citing few example:

1. Addition of transaction codes to roles - I include all the derivatives including the parent role in the transport request.

2. Addition of Organizational Values to Organizational Units - I still include all the derivatives and the parent role in the transport request.

I came to a colleague of mine and working in a separate engagement and tell me that in example no. 2 you should only transport the role you have modified in the transport request.

Hoping for anyone to share anything about transporting roles, providing SAP provided documents would be a big help!

Thanks in advance.

Former Member · ‎07-22-2014

Best Practices for Roles Transport in AS ABAP system

Guidelines for role transports

1. Single role

For Single role change transport in standard way.

2. Parent and Child roles.

For parent and child roles different scenarios are:

Scenario-1. Addition of T-code and Authorization Object

We are adding T-code in parent role and distributing to all child roles, In this case we will create a transport for Parent and all Child roles. (If we are putting all child roles, parent role get added automatically).

Scenario-2. Addition of Org Level in Child Role.

Child role as per mechanism is only for Org level maintenance, so when we are making changes in org level of any child role we can transport only that child role. Again that child role will call parent role in transport automatically.

Imp Note: To avoid confusion and misbehavior in case of large no. of role changes of nature parent and child roles we should include all child roles in transport.

3. Composite and Single roles

For Single and composite roles different scenarios are:

Scenario-1. Addition of T-code and Authorization Object.

Addition of T-code, authorization object in Single role which is part of composite role can add individually in transport.

Scenario-2. Creation of new single role and adding to existing composite role.

We have created a new role and added that as a part of composite role; In this case we need to add single role and also composite role in transport without checking the option Also Transport Single Roles from Composite Roles.

Scenario-3. Creation of new composite and all its new single role.

We have created a new role and added that as a part of composite role, in this case we need to add composite role in transport without checking the option Also Transport Single Roles from Composite Roles. This option will take all its single roles.

Scenario-4. Adding or deleting existing single role in composite role.

In this case we need to add only composite role without checking the check box of Also Transport Single Roles from Composite Roles.

Scenario-5. Composite roles of BW system

In BW system Composite roles need to move always without checking the check box of Also Transport Single Roles from Composite Roles as in BW there are roles which are suppose to be allowed to edit by query designer and administrator directly in production. They are adding new queries in role menu on daily basis which they are not maintaining in Dev and Test and the composite with option checked Also Transport Single Roles from Composite Roles will spoil the roles.

alper_somuncu · ‎07-22-2014

Hi Santi,

You can transport the authorization components, roles and user master records between the SAP systems or between clients within an SAP system.

Please have a look at Transporting and Distributing Roles - Identity Management - SAP Library document for more information.

If you want to transport manually created profiles, then Transporting Manually-Created Profiles - Identity Management - SAP Library document would be helpful. For transporting manually created roles, check Transporting Manually-Created Authorizations - Identity Management - SAP Library document.

There are also some other useful documents in the library: Role Administration Functions - Identity Management - SAP Library.

BR,

Alper Somuncu

santiobejero · ‎07-22-2014

Hi Alper,

Thanks for the great links from SAP Library. I want to find a specific document on what are the standards in transporting roles based on the changes you have made to it. As I have said, please see example below:

1. Addition of transaction codes to roles - I include all the derivatives including the parent role in the transport request.

2. Addition of Organizational Values to Organizational Units - I still include all the derivatives and the parent role in the transport request.

Is this the correct approach or not, are there deeper technical reasoning with the examples above?

Hope you can clarify further.

Regards,

Santi

Former Member · ‎07-22-2014

Hi,

There are pros and cons to both approaches. I take the view that it is dependent on the change & you'll struggle to find an authoritative documented source on it.

As you are using derived roles then absolutely transport everything if you add/remove a transaction or change an auth field value. If you don't your derived roles will get out of sync and you'll start getting error flags.

If you are just changing an org level then you are not affecting any of the other roles that belong to that parent. Transporting the single role is more than acceptable. Your current process won't cause any harm but it will take longer time & depending on your release there may be user compare shenanigans required.

Cheers

Former Member · ‎07-22-2014