cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Authorization Generic Role for every SAP account

Go to solution
reza_ahoui2
Participant

on ‎07-08-2020 5:52 PM

0 Kudos

Hi

There is a need to create a generic authorisation role to be assigned to every SAP user (regardless of his/her job) for basic (common) tcodes such a SU53, SU56, SU3, NWBC, SO01 etc.

There is a concern with some authorisation objects within this role and if some of them would be flagged as critical permission (hence should not be given to all users but must be in specific role).

Here they are, please let me know if any (with the listed values) should not be given to all users through this generic role:

1) S_RFC and S_RFCACL with the following values:

2) S_BATCH_JOB and S_DATASET with the following values

3) S_SPO_ACT and S_SPO_DEV with the following values:

4) S_DEVELOP with the following values:

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Colleen
Advisor
Advisor
‎07-09-2020 1:51 AM

Hi Reza

It might help to understand what system this is required for some of the request (e.g. even SO01 is quite old compared to SBWP... or Fiori App for My Inbox)...

Here's my view on the objects... I'd say no for most of that request if it came my way....here's the justification to help you..

S_RFC and S_RFCACL - should be approrpiately restricted. S_RFC * is like a S_TCODE * for Remote Function Call execution It is a headache to revoke once granted

Refer to SAP Security Recommendations: Securing Remote Function Calls (RFC) https://support.sap.com/content/dam/support/en_us/library/ssp/security-whitepapers/securing_remote-f...

S_BATCH_JOB - the RELE for dummy check is required when users schedule report in background to auto release it. Without it, they have to go into SMX or SM37 and release it. Probably okay to have unless some users aren't allowed to run jobs in background

S_DATASET - must be restricted as it protects file system. At a minimum, restricting program name but also filename (filepath + filename) to prevent directory traversal attacks

Refer to Protecting SAP Applications Against Common Attacks section on Directory Traversal Attacks https://support.sap.com/content/dam/support/en_us/library/ssp/security-whitepapers/protecting-sap-ap...

SAP Note: 1497003 - Potential directory traversals in applications S_SPO_ACT - user requires this to access other user spool. For own spool access, they don't require it. Difference between granting SP02 and SP01 as well Have a look at the SAP documentation via SUIM > Authorisation Objects - you can read teh help documentation for it and explains the user case Don't grant asterisk as you may grant unauthorised access to sensitive data (e.g. payroll report)

S_SPO_DEV - asterisk depends on whether you have sensitive printers (e.g. check/cheque printing) in place. Most of the customers I work with have an LOCL (local network printer) and that's the default. I'm usually restricting this to stop someone printing a 100 page report to a cheque printer forcing AP team to then cancel 100 checks, etc. Becoming less common as the technology changes

S_DEVELOP- do not grant. End users do not need S_DEVELOP access. It is a misleading authorisation check that appears in trace files.

TRANS - transaction codes

SUSO - Authorisation Object (older SAP systems may have had in due to SU53/SU56 but should not be required) .

BMFR - Application Component

DEVC - DEVC: Development classes (organizational unit for classifying development projects)

Cheers

Colleen

Show replies
Show replies

Answers (1)

Answers (1)

reza_ahoui2
Participant
‎07-09-2020 12:09 PM
0 Kudos

Thanks Colleen, very much appreciated your detailed answer

Show replies
Show replies
Ask a Question