Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Project Team System Authorization Standards

Former Member

‎01-28-2008 12:28 PM

0 Kudos

hi

i am new guy to security. we are in prepare preparation phase(Technical requirements design) of the implementation project.

i want to prepare documentation for "authorisation standards for project team". and i have to define standards, policies for creating user master records for project team members

please kindly suggest me and provide some documentaion regarding authorisation standards, roles of project team.

thanks in advance

Ramesh

6 REPLIES 6

jurjen_heeck
Active Contributor

‎01-28-2008 12:38 PM

0 Kudos

Hello Ramesh,

I find this a very strange request, particularly the part where you want documentation about the roles of the project team.

How can we (here on the forum) even guess how the project team (at your project) is composed and what the various tasks are?

Authorizations have to follow organizational requirements, not only in production but also in the project fase.

These requirements are created based on tasks to be executed and risks to be taken into account. They differ per implementation.

On the technical side of things, have a look at the standard SAP delivered single roles in your system. There must be some that'll fit part of your needs.

Former Member
In response to jurjen_heeck

‎01-28-2008 2:28 PM

0 Kudos

hi,

Actually we are installed ecc6.0 in DEV system. As a security, i have to assign some authorisation roles to MM/PP/SD/FICO for configurations.

I dont know what authorisation are assigned to them. can you suggest me for this

thanks

Ramesh

Former Member
In response to jurjen_heeck

‎01-28-2008 2:40 PM

0 Kudos

if you need to know what access consultants need, why do not you ask them to deliver a set of TRX.

I hope they have more experience than you have. so they must know what access they need.

By the way SAP_ALL is forbidden!

jurjen_heeck
Active Contributor
In response to jurjen_heeck

‎01-28-2008 2:57 PM

0 Kudos

Hello Ramesh,

You'll need to do more research within your project team. As Auke suggested, it is a good idea to interview the consultants and assess their needs. Once you know that maybe you can find some SAP roles that will get you on the way.

Some things to keep in mind:

What do you allow the consultants to do? Hopefully everything they're being paid for. Check with project management to see if they are not stretching their needs. They also know you're new to the stuff and will take advantage by asking as much as possible.

What will you not allow them to do? This is to be decided based on risk assessment, done by management. Risks can be simple stuff like: how often do you make a backup? What are the costs in time and material to restore the system to the last sucessfull backup state? Are you using real data (with corporate and privacy risks) to test?

If you block certain activities and this conflicts with the project progress, what then? Involve the decisionmakers in this design stage already.....

Former Member
In response to jurjen_heeck

‎02-05-2008 4:12 PM

0 Kudos

Dear Ramesh,

I have been through same situation as you did. And If you search for my messages in SDN, you will see similar answers from members.

I have done some work on this and to my basic knowledge, in project preperation phase, roles for consultants what transactions they are going to use/play around on sandbox client are not defined properly.

Our Sr. sap technical consultant advised to basically copy SAP_ALL and restrict sensitve BASIS transactions and T000 table and get the signoff from project manager (very imp get sign off from Project Manager) and make sure you close crossclient customizing on sandbox client.

let me know if you have any further questions.

Regards,

N

Former Member

‎01-28-2008 1:13 PM

0 Kudos

Hi Ramesh,

Why not develop your own standards, policies and procedures. There is a wealth of information on this forum which covers the main areas. Another good source is Auditnet ( http://www.auditnet.org )

If you have any queries on specifics then there are plenty on here who will be more than happy to answer those (e.g. why should we create project consultants as Dialog users). I for one would be more than happy to review any such documentation if you posted it on here, but don't see any value in posting up generic material as it will not reflect your project and/or organisation.