Prashant ,

Thanks for your reply. Actually we also follow the same procedure but the problems occured in cases where in the data was erased from the description tab (as it is modifiable).

Just in case you come across any alternate solution kindly let me know.

I appreciate your response.

thanks,

Salman.

> Salman Mohammed wrote:

> Actually we also follow the same procedure but the problems occured in cases where in the data was erased from the description tab (as it is modifiable).

> Just in case you come across any alternate solution kindly let me know.

Hmmm... sounds like an organizational problem. What Prashant described is what I have seen as well.

Could you clarify something for me?

If the first change is released before the second change is made, then the second change when transported will add the second change as well = so if both changes are approved, then you got what you wanted in the end.

If the first change is released after the second change is made, then the first change when transported will add the second change as well = so if both changes are approved, then you got what you wanted in the first transport already.

So... if the owner of the role is involved in the QA of the change and approval of it, where is the problem (other than admins deleting modifiable fields)?

Or is the second change not authorized / approved?

Regards,

Julius

there are two things to be said here:

A this is something one should not try to solve technically, but in procedures

B make sure that transports are imported in release date sequence or later changes will be overwritten by older versions.

On the procedural point: make sure that all will ONLY change when errors are found and NOT make changes to the process, as for that a change request should be made togheter with or by a functional consultant.

And so teh examples are not good: a change in TRX to a role is a change in process, so can not be done just on request of every Tom, Dick or Harry as it has impact on how the business is run, on SoD, might need training etc.

to help making the right decision here:

A an error is when the role is not working as described, so objects and or objects values need to be added/changed.

B a procedural change is when the business wants(is ordered) to do their tasks in a different manner from the way it is currently described.

I am aware that a lot of companies lack a proper description of their processes, in such cases there should be a functional consultant (expert) that can decide about the change.

Hi all,

Thanks for your responses.we follow a change procedure but I guess its just needs to be refined. Everybody figured out that this is a coordination issue but I was asked to research on any technical ability to handle this.

Here is a brief overview of our process :

1) BPO approves the change

2) Role owner support manager approves the change

then the Change request comes to 3)Security Manager for her approval.

I feel from Sox prespective the 3rd approval in not manadatory.

I'm I correct ??? where can I find Sox guide for SAP ?

Recap of the incident:

1)A change ticket is created for the t-code creation and a task is created for the role in which this report is to be added.

State I role Z_TESTROLE is with ZMMR0025

After adding the new report ZMMR0055 the old report ZMMR0025 is removed.

State II

The role Z_TESTROLE has tcode ZMMR0055

now this is tested in development system by the requestor.

Before this goes into PRD via QA a newsflash is sent to all the endusers (so that they know which t-code to use)

Meanwhile if another security administrator works (suppose adds a new tcode or changes an authorization) on this while the role is in state II changes made by Admin 1 are transported along with the second change.

State II + new changes = State III

When the role reaches PRD in state III result is the end user losses access to the required functionality ZMMR0025 before ZMMR0055 is made available.

I hope I’m clear , please let me know if I need to be more specific on any part.

I appreciate your help.

regards,

Salman.

I have worked in many organisations were a similar process was followed. this goes right for 99% of teh situations, the only error can be the human error and i have been tought that one should never blame a whole organization if a single human make mistakes, just talk to the person who made the mistake and make him/her aware of the problems created.

I'm impressed with what you have been taught, but here my issue is for a technical solution and also that the role owners and security manager are too busy to keep track of multiple changes to the roles.

No one is blaming the "whole organization" if you read carefully I said refine.

Your suggestions will be appreciated.

Thanks for your help.

I have to agree with Auke. This is more of a procedure issue. There is nothing I can think of technically to address this issue. However, I can add some of the procedure we have that might be helpful.

On the security role in the "Description" tab we enter the recent change and reference a change control number and the security admin initials. Our security administrator usually look at this information before making any change to a security role. If they noticed there is an open issue for this role, they will defer to the other security administrator.

Hi Jurjen,

Again this will create lot of issues,

Ex.:

-> we have to wait for the same consultant to complete it.

-> or there should be one or two shadow consultants for each.

the better idea is

-> maintain proper documentation/ communication in the role description tab, Transport request documentation and general communications.

-> there should be a integrated communication with in the security team. Like creating a mail group alias for security team along with approvers, then all the in& out communication should be marked to the group mail. so that all security consultants will have the updated info.