Hi,
I need to know that , is it required to give <b>SAP_ALL</b> to <b>functional consultants and ABAP developers user id</b> created , or there are some different set of roles to be created. where do I find these security best practices , so that I can implement them.
Regards
Puneet
6 Answers
-
Best AnswerPosted on Nov 13, 2006 at 11:00 AM
Hi
No it's not needed, there a lot of security functionality they haven't got any need for. Though I recognize that they need extensive access.
What I normally do is to create a developer role based on SAP_ALL. In this role I then revoke some of the more critical objects e.g. the user management/security object, access to create RFC destinations, change system settings (S_TABU_DIS, no access to group SS and SA), go through S_ADMI_FCD, etc..
What needs to be removed from the role depends on the system, the version, your policy. My guess is that there are as many opinions on this, as there is security consultants.
But keep in mind, as security is implemented in the abap code - your developers will never the less have almost full access to your entire system. Security here is more a question on "Communication" than actual security. e.g. <i>"If you haven't got access - don't do it ! "</i>
Regards
Morten Nielsen
Add a comment
-
Former MemberPosted on Nov 14, 2006 at 05:15 PMNo, it is definitely not needed. Although you may
end up creating a set of roles for them that has very broad access,
it is still not SAP_ALL. Also,requirements for access in DEV and PRD
would be different. Typcially, the PRD may only be display only.
Warning though - there will be quite a bit of work to create and
maintain these roles. Copying SAP_ALL and turning off authorizations might
be one way to go, but SAP_ALL has access to * on S_TCODE which means
any tcode can be executed - unless the associated auth objects are turned off. But there
are several tcodes that do not have associated objects. I normally build
a role by specifically identifying the tcodes they need - rather than
a wildcard or a range of tcodes like A* to D*, etc.
It might come down to what your auditors / management will want.
Add a comment
-
Posted on Nov 14, 2006 at 05:04 PM
Hi Puneet,
for ABAP developers we used to have the SAP standard DEVELOPER role earlier..so we framed our roles based on this one and also after a lot of effort we have differentiated the Tcodes into Module customizing etc .like MM customizing, PP cust and so on... a bit of functional effort has been spent into thso role differentiation......
http://www.sapsecurityonline.com/r3_security/r3_security.htm has abit of security concepts and would be a bit of help on a read 😉
Hope this info is helpful,
Br,
Sri
Award Points for helpful answers
Add a comment
-
Former MemberPosted on Nov 15, 2006 at 08:14 AM
The authorizations which you specified here depends on the system and also the Position..
For your query, for ABAP developer you can go for
SAP_BC_DWB_ABAPDEVELOPER ---ABAP developers.
SAP_BC_DWB_PROJECT_MANAGER------Development project leader.
SAP_BC_DWB_WBDISPLAY -
ABAP developer display authorization.
For functional consultants its solely dependent on the position he holds....
Hope it helped you...
Subbu
Add a comment
-
Former MemberPosted on Nov 15, 2006 at 08:20 PM
Hi Puneet,
This can be done in another way too. If the Developers need powerful Transaction codes, but not in everyday usage, you can think of creating seperate user id ( for example POWER_MM, POWER_FI etc),
This common ID could be used by that group members, id only on approval from his manager for a specific purpose.
This way, you have much control over the POWER ID usage. Also auditing is easier.
Thanks,
Raj Sam
Add a comment
-
Former MemberPosted on Nov 16, 2006 at 12:10 PM
hi friends
one of my staff has created a company code. He wants the company code to be accessed only by four users is ther any way that i can restrict others from accessing that company code if yes please tell me the steps to do that
thanks & regards
sathi
Add a comment
Add a comment