Skip to Content
author's profile photo
Former Member

Authorization/roles required for post proprocessing &source system restores

Audit would like for basis team members to perform refreshes and source system restores without the use of sap_all or sap_new profiles. We have on many occasions attempted this with a custom profile, but we always find some new issue where we did not have the security required to perform these tasks. I would like to find out how other sites perform these tasks and whether they have perfected a role or if they use the sap_all and sap_new profiles in order to accomplish these tasks.

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

2 Answers

  • Posted on Dec 20, 2006 at 09:45 AM

    Hi Terasa

    I know that auditors don't like SAP_ALL and to some extend they are right, nobody should have SAP_ALL. On the other hand you won't be able to efficiently limit your the access for your SAP Basis guys, they will always need access to your tables, ABAP, system level.

    What I often have done, is to create a role for SAP BASIS based on SAP_ALL. I have then removed the access to a few very critical elements (e.g. Debug with replace, access to grant SAP_ALL to a user etc). Depending on the level of knowledge of your auditors, this might get them of your back (But don't fool your self into believing that you efficiently has improved your security level).

    As an "add-on", it could be a good idea to formalize this, e.g. create a document for your basis guys a your system owners to sign, stating that they have got this role/access level, That they are aware of the extended responsibilities that goes with this level of access, and that it has been approved by the system owners.

    At the end of the day, the purpose of your SAP Implementation isn't to have a secure implementation, it's to efficiently support your business - So if you do not trust your basis guys - get somebody else in.


    Morten Nielsen

    Add comment
    10|10000 characters needed characters exceeded

  • author's profile photo
    Former Member
    Posted on Dec 20, 2006 at 10:05 AM

    Another approach which might help is to tell them that they can keep their additional application access during restores and client copies etc, but their activities are logged in the security audit log (SM19) and is reviewed periodically.

    They might expect that access to the security audit log (SM20) should be restricted if data on them is there... then you have got them going in the right direction already 😉

    Add comment
    10|10000 characters needed characters exceeded