Skip to Content
author's profile photo Former Member
0
Former Member

values for S_ADMI_FCD

Posted on Nov 28, 2007 at 10:03 PM 2.7k Views

Hello,

I have the following immediate problem. Auditors are interested to know who has authorization object S_ADMI_FCD. I see that our users have this object via transaction code SP01. All values are selected. What values I should un-select to make sure that our users won't lose their SP01 functionality and at the same time do not compromise security.

Thanks

Galina

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

1 Answer

  • Best Answer
    author's profile photo Alex Ayers
    Alex Ayers
    Posted on Nov 28, 2007 at 10:33 PM
    2

    Hi Galina,

    Without knowing your implementation and the different roles you have, it's very hard to give a definitive answer for this. It is possible that the "all values" is providing auths for transactions other than SP01 which would normally be picked up if you had tighter restriction over this object.

    There is a fair bit of info in this link, I suggest that you go through this and identify suitable values for your actual spool uses - common ones are SP01, SP0R, SPAD depending on the status of the user. If users only need to perform functions on their own spools then SP02 allows them to do this without seeing any other spools. Bearing in mind the sensitive data that can be accessed via spools, it's good that you are tying it down. Some superusers or administrators may need to run SP01 with one or more of the above values for S_ADMI_FCD, again this is very dependent on the particular situation.

    http://help.sap.com/saphelp_40b/helpdata/en/17/174b6e5733d1118b3f0060b03ca329/content.htm

    p.s. I strongly recommend testing any changes that you make before sending it through to prod. With these types of auths, it's very easy to cause a load of problems due to inheritance of the values by other transactions.

    Message was edited by:

    Alex Ayers

    Add a comment
    10|10000 characters needed characters exceeded

    • Alex Ayers Former Member
      Nov 30, 2007 at 09:02 PM

      Hi Galina,

      The difficulty with this is that your roles and the responsibilities of your users are likely to be very different than mine. Your FICO admin could do different stuff to mine and therefore what I have may well be irrelevant. There is no absolute list as there are no absolute roles defined.

      The Basis stuff isn't too hard. You can look in the role they have and map the general activities that role performs against the functions available with S_ADMI_FCD. It is likely that if the role performs that function then it will require that value. Be careful though as there are some pretty powerful things controlled by that object.

      Your FICO admin team probably will need to some spool management, in which case SP01 and SP0R will be needed.

      ABAPers in Prod should have very limited access to start with, they may need to run traces with ST0M ST0R and SM21 values.

      Personally I wouldn't mess about with this stuff for prod access without testing it with the relevant teams and users. Your end users are probably less at risk as this is generally not an end user object, but again it depends on what you have got them doing!

      Hope that helps a bit - it's a difficult one to retrospectively fix, as are many of the S_* objects that have been wildcarded.

    Comment on This Answer

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.