I agree with you.

But we have to give display access on authorization object S_TABU_DIS for Functional people. ABAPer s may required the same.

Hello Kunal,

That sounds like a good plan, and if it works for you then that is okay.

I guess it also depends on your setup and the size of your organization. Some of those folks might also have some support and monitoring responsibilities, perhaps even in PRD,

so some specific values for those "basis objects" might be unavoidable (eg. S_ADMI_FCD, S_IDOCMONI, S_BTCH_ADM, S_SPO...).

For folks with such skills, it certainly makes sense to control at object level and not rely on S_TCODE (eg. they already have SE38, SM37, SM30... anyway).

Very usefull is to have a secure Emergency User Concept in place. This will help you restrict the roles to differentiate between routine tasks required,

and eventualities which might happen. We developed our own solution, but there are also commercial products on the market. Of course, I think ours is much better...

Regarding "loopholes", I would say that the higher your Support Pack-level is relative to your Release level, the less there will be.

A tricky area is the config around and authorizations for the debugger. One of oldest tricks in the book, is to look for dialog users in RFC destinations and then debug calls to them.

You might want to close that "loophole". Ensuring restricted authorizations, and no dialog users in RFC destinations is a good start.

Cheers,

Julius

Thanks Julius. Unfortunately, I did not see this post until today when I was looking up for a solution to another problem.

I had a few questions and was wondering if I could get some help. I have received very good response so far and I have been able to get almost all the Functional and Developer roles carved out just because of this forum.

We are planning to Go Live and I am being bombarded with people literally demanding for access to Tcodes that can potentially cause harm. Their argument is that they need it to troubleshoot errors post Go Live which I do not disagree to.

I intend to make a firefighter role/user for this purpose so as to allow users to troubleshoot and also not stop them from performing their daily activities. My biggest problem is, I dont want to give the firefighter role too much or too little access.

Can you provide me with some insights with what the Firefighter role should have ? Like some Tcodes or maybe more of Developer Access ? Anything that would help me. Or should it have sap_all access ?

Also

 One of oldest tricks in the book, is to look for dialog users in RFC destinations and then debug calls to them.
You might want to close that "loophole". Ensuring restricted authorizations, and no dialog users in RFC destinations is a good start.

Im not sure what this means.

Thank you.

Kunal

Edited by: Kunal Belnekar on Mar 14, 2008 3:44 PM

Some comments:

> We are planning to Go Live and I am being bombarded with people literally demanding for access to Tcodes that can potentially cause harm. Their argument is that they need it to troubleshoot errors post Go Live which I do not disagree to.

and

> I intend to make a firefighter role/user for this purpose so as to allow users to troubleshoot and also not stop them from performing their daily activities. My biggest problem is, I dont want to give the firefighter role too much or too little access.

I think only you can answer that question for your specific system and security requirements. A question you might face is access to maintain variants via SA38 / SE38. So, do you give it to the support person's role, or the emergency user role (in which case you will have regular "emergencies" from a wider user base and might want to restrict the emergency access more). To this specific example, you might want to rather consider giving the users transaction VARCH instead, which I recently discovered via one of the SAP User Groups.

>> One of oldest tricks in the book, is to look for dialog users in RFC destinations and then debug calls to them.

Someone with access to SM59 can easily click on the "Remote logon" button. There is another way of doing it in the debugger which is well known. Find the location of a function call to the destination in which the SAPGUI capable user is defined. Place a break point immediately ahead of the call. When your program reaches the break-point, change from the ABAP debugger (/h) to the System debugger (/hs) and then select the Single Step option to step into the function module. The debugger will open an RFC debugging session and you will be logged onto the target destination as the user ID saved in the SM59 connection data.

Some important tips:

- Use only SYSTEM type users, and only SERVICE type users if it must be SAPGUI capable.

- Do not give these user ID's any authorizations for S_TCODE. Their entry point is S_RFC.

- Restrict S_RFC to only those function groups they need (from release 7.10 also protecting function modules).

- Do not give them S_DEVELOP authorizations and be carefull with any other "basis" type authorizations for them.

- Restrict their application authorizations to a minimum which they require.

- Consider deactivating the debugging at system level in production systems.

- Depending your release / SP level, the authority-checks may differ.

Hope that helps you a bit, cheers,

Julius