Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Authorization/roles required for post proprocessing &source system restores

Former Member

‎12-19-2006 5:14 PM

0 Kudos

Audit would like for basis team members to perform refreshes and source system restores without the use of sap_all or sap_new profiles. We have on many occasions attempted this with a custom profile, but we always find some new issue where we did not have the security required to perform these tasks. I would like to find out how other sites perform these tasks and whether they have perfected a role or if they use the sap_all and sap_new profiles in order to accomplish these tasks.

2 REPLIES 2

morten_nielsen
Active Contributor

‎12-20-2006 9:45 AM

0 Kudos

Hi Terasa

I know that auditors don't like SAP_ALL and to some extend they are right, nobody should have SAP_ALL. On the other hand you won't be able to efficiently limit your the access for your SAP Basis guys, they will always need access to your tables, ABAP, system level.

What I often have done, is to create a role for SAP BASIS based on SAP_ALL. I have then removed the access to a few very critical elements (e.g. Debug with replace, access to grant SAP_ALL to a user etc). Depending on the level of knowledge of your auditors, this might get them of your back (But don't fool your self into believing that you efficiently has improved your security level).

As an "add-on", it could be a good idea to formalize this, e.g. create a document for your basis guys a your system owners to sign, stating that they have got this role/access level, That they are aware of the extended responsibilities that goes with this level of access, and that it has been approved by the system owners.

At the end of the day, the purpose of your SAP Implementation isn't to have a secure implementation, it's to efficiently support your business - So if you do not trust your basis guys - get somebody else in.

Regards

Morten Nielsen

Former Member

‎12-20-2006 10:05 AM

0 Kudos

Another approach which might help is to tell them that they can keep their additional application access during restores and client copies etc, but their activities are logged in the security audit log (SM19) and is reviewed periodically.

They might expect that access to the security audit log (SM20) should be restricted if data on them is there... then you have got them going in the right direction already