Skip to Content
Jun 28, 2018 at 01:39 PM

Evaluate SAP OSS notes implementation from authorizations perspective


As an authorization consultant I get requests from our Basis team to evaluate security notes which would be implemented in our production system. This is their requirement"- "... you need to check whether notes would have any impact after implementation (Security impact), e.g. if any customized t-code is already present in the system and notes have certain restrictions which would impact that t-code."

In general I am fine with these kind of requests when a note obviously refers to an authorization activity, e.g. set an authority check for a new field, however in some cases I find a bit ambiguous whether the change would have any impact from authorizations perspective.

I understand that cannot be a universal solution, but would you have any suggestions as to how to handle this, e.g. under 'Other terms' paragraph of a notes template, if there is no Authorization/authorization check mentioned, could I assume that I could give a greenlight for a note's implementation?

Thank you,