cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Security practices - SolMan projects?

Former Member

on ‎01-30-2006 9:18 PM

0 Kudos

I'm trying to understand what are the best practices for setting up solution manager to control multiple teams of people defining projects that potentially can overlay or configure the same processes.

Ideally, I would like to see some clear documentation on the various authorization objects in the SAP roles (like SAP_SOL_PM_COMP, SAP_SOL_AC_COMP, etc.). I've found some of this in SAP Notes 625773 & 834534, but they do not help in explaining how I will isolate or prevent different project teams from stepping on each other.

Any help would be appreciated?

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎03-01-2006 10:25 AM
0 Kudos

hi andy

i m giving the roles of solution manager which is what u were looking for if i m not wrong

regards

Janak Mehta

Show replies
Show replies
Former Member
‎03-01-2006 4:52 PM
0 Kudos

Thank you Janak, this is useful.

I'm hoping to extend this information even more to get an understand of how to security SolMan more definitively. For example, if I establish 5 projects in solution manager I want 5 sets of each roles to control who can do what in each project. I'm looking understand what wildcards, etc. to put into what authorization objects to control (segment) the access.

Thanks, Andy.

Former Member
‎03-01-2006 5:38 PM
0 Kudos

Andy,

I just started working through this last week with the SAP_SOL_PM_COMP role. I found that the S_PROJECT and S_PROG_GEN objects are the key to restricting Project Access.

S_PROJECT update access is in the roles SAP_SOL_PROJ_ADMIN_ALL and SAP_SOL_TRAINING_EDIT. To do what I think you want to do, try this:

1) Copy SAP_SOL_PM_COMP (and sub-roles) into your customer namespace (e.g. ZZ_SAP_SOL_PM_COMP). For the ZZ_SAP_SOL_PROJ_ADMIN_ALL and ZZ_SAP_SOL_TRAINING_EDIT Change the S_PROJECT Activity to just 03 (leave Project Name *) and inactivate S_PROJ_GEN

2) Create a new role using PFCG (like ZZ_[project ID]_WRITE. Add the S_PROJECT Object and assign the Activities (ACTVT) as desired (you at least need 02, 03, 06). Add the Project Name (PROJECT_ID) you wish to have update access to (or a wild card like PROJ1*).

3) In the same role you created in 2), add the S_PROJ_GEN Object. In that object, set PROJ_FUNC to "*" and set PROJECT_ID to the same value in 2).

4) Go to SU01 and give your Project Manager the ZZ_SAP_SOL_PM_COMP and the ZZ_[project ID]_WRITE. He/she should now be able to view any project, but, update only the project(s) in the ZZ_[project ID]_WRITE role.

Hopefully this helps.

Former Member
‎03-01-2006 6:32 PM
0 Kudos

That is some really good stuff! Thanks Mike!

The next step would be to find out how to control (assign) responsibility to particular implementation and configuration content. I don't believe this is there yet. I'm hoping that we can use Solution Manager to control (assign ownership) over configuration and IMG settings. It is something that isn't practical today but needed, especially as we move toward using Solution Manager as the tool for identifying and then executing those activities. The control points do not appear to be strong enough today to address this such that I can give Solution Manager full control over the activities.

-Andy

Former Member
‎03-01-2006 6:51 PM
0 Kudos

Andy,

We're "trudging" through it also. Unfortunately (or fortunately) my experience with SAP starts with NetWeaver 2004. I don't have the R/3 background (yet). I know SOLMAN 4.0 is in ramp-up. I suspect that it will be quite different.

I have a watch on this topic, so, if you find out something related to security or access control, post a reply. I will do the same.

Ask a Question