Skip to Content
author's profile photo Former Member
Former Member

Authorization --- Need your advice / Options

Hi,

We want to secure military specific data in SAP.

We also want to comply with ITAR requirements.

One option is to create roles and profiles and then assign it to users who can view that data. In this approach the biggest problem is over head of maintaining 100's of profiles and roles. Our company does not have suffecient funds or team to do that.

Second option was to use development and here is how we envisioned it.

Maintain an indicator for foreign nationals in HR and also maintain an indicator for military personal in HR. (We are allready doing that, for some other busines process) So this table will tell us if an employee if foreign national or a military personal.

If Military person.

give access for military specifc data.

else.

error message.

endif.

similarly

if foreign national.

give error message.

esle.

let him view data

endif.

Now we are not sure if SAP has a common routine for authorizations, which we can change and add these conditions in it. (We will do core mod by getting access key).

If we follow this approach will we have to modify a single routine (for all SAP modules) for all master and transaction data transactions, or will it be multiple routines which we will have to modify.

We also need to cover authorization for table maintenence, transaction codes, org structure level...etc.

Can you please provide your inputs/point of view on this.

Will apprecaite if you can share any other option.

Thanks in advance.

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

1 Answer

  • Posted on Oct 03, 2006 at 08:45 PM

    Hello Jeet

    Your alternative approach (instead of using roles) will not work. If SAP uses function modules (FM) to check authorities you may be successful by modifying the correponding FMs. However, most authority checks are done using the ABAP statement AUTHORITY-CHECK, e.g.:

      AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
               ID 'BUKRS' FIELD <value>
               ID 'ACTVT' FIELD <value.

    This cannot be modified because it is calling somehow kernel routines. Talking about OrgManagement we additionally have so-called structural authorities.

    I do not see how you govern this not using the SAP standard means.

    Talking about the costs to maintain a plethora of roles I can give you a concrete example. Our company has developed a security suite which allows to automatically and reproducibly generate derived roles using organisation-specific input values that are completely separated from the roles and the profile generator. We have sold this security suite to an industrial company in Switzerland which is the world-wide number 2 in its sector. They have used our tools to rollout their authority concept in about ten European subsididaries. In numbers: several thousand users having about 2.500 derived roles (approximately 100 template roles) assigned - this quantity is currently managed by 2-3 employees.

    I did not lookup the ITAR requirements but I believe that our security suite would not pass an audit (yet).

    However, if you have a well-defined authority concept (based on template roles and derived roles), well-defined input data for each separate "organization" (in our context this means a group of users that that has a unique set of authorizations) and few (or even better none) exceptions like our client had then you should be able to implement (with or without tool support) reasonable and working authorities.

    Regards

    Uwe

    Add a comment
    10|10000 characters needed characters exceeded

    • Hello Jeet

      For me there is no big difference in categories like management/employees and military personnel/foreign personnel with respect to creating an authorization concept.

      I assume that ITAR requirements are quite demanding. Thus, if any tools comply with these standards I can imagine that the software vendor has tried to certify its AddOn by SAP. Therefore have a look at the partners of SAP that offer SAP-certified tools.

      Regards

      Uwe

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.