Skip to Content
avatar image
Former Member

Which auths for BASIS tasks?

We want to carry out BASIS support tasks on our customer's SAP systems (ABAP & Java)

They are not ready to provide SAP_ALL & SAP_NEW auths for this purpose.

What auths will be required to perform these tasks?

We intend to perform the std daily/weekly/monthly BASIS tasks such as:

Servers (SM51), processes (SM50), database (DBxx), O/S (ST06), Dumps (ST22), bkg jobs (SM37) and so on

(about 20+ tcodes)

It would be great if someone could provide links which we could refer.

Thanks in advance

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

9 Answers

  • avatar image
    Former Member
    Aug 04, 2009 at 03:51 AM

    Yes no customer allow the SAP_ALL and SAP_NEW profiles to any one on Production server. Do one thing ask their IT head to approve the creation of a New Role which will have the Tcode SM50/51/66, DB01 to DB21 etc., ST22, SM21,SM13,SM12, ST03N, STAD etc.

    After creating the role assign to your self and other BASIS consultants in your team.

    Thanks

    Lokendra

    Add comment
    10|10000 characters needed characters exceeded

  • Aug 04, 2009 at 09:41 AM

    Moved to Security Forum

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Aug 04, 2009 at 10:02 AM

    if they are ready to grant you full access for your servers.

    Then please request access to these t-codes. SM21, ST22, ST01, PFCG, SU01, SM50, SM51, OS07, DB* (Database related t-codes)

    No need to have access to SM59 and get access to SUIM t-code.

    these are basic t-codes that you need to monitor or access your servers.

    Hope this would help you.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Aug 04, 2009 at 11:07 AM

    Hi,

    As a Basis administrator you should have the below access.

    General maintenance read access means t-code which youu2019re using for monitoring the SAP systems.

    Ex:- ST22, SM21,AL08..etc

    SAP tech admin transactions example AL02, AL03, AL04.etc

    And print support transactions example SP01, SPAD..etc

    Please let me know if you want more help for this !

    Thanks,

    Bikshamaiah.G

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Aug 04, 2009 at 01:10 PM

    Hi,

    Go for the table AGR_Tcode where u can find out roles and tcodes assigned to them.

    Try this ....it may help u to pick out the roles related to Monitoring.

    Thanks

    Ramakrishna.

    Add comment
    10|10000 characters needed characters exceeded

  • Aug 11, 2009 at 07:52 AM

    Another simple way to get started is to host the Basis guys in client 000 and give them the profile S_A.SYSTEM

    This way you have separated the operations from the data and the auditors are happy.

    And using S_A.SYSTEM profile you get a jumpstart on the role. You can use it as a template in PFCG.

    /fredrik

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Aug 11, 2009 at 01:03 PM

    Copy and customize the standard SAP role SAP_BC_BASIS_ADMIN - System Administrator according to your requirement

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Aug 11, 2009 at 01:24 PM

    Merv!

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      >

      > h1. Merv!

      I sent him a note to read the manual and follow-up on the question...

      Otherwise it is perhaps safer to just lock it before it leaves the road 😊

      Cheers,

      Julius

  • avatar image
    Former Member
    Aug 12, 2009 at 02:33 AM

    Cons,

    BASIS tasks are not limited to certain number of transactions and should be wide enough to cover most of the critical function with respect to security in mind. What your BASIS team would do in some critical situation when you may have restricted them to say 10 transactions.

    In my view you need to define the requirements. Best thing to start with is to discuss with your BASIS team about the requirements. Once you confirm the requirements than start building role and let them test in staging environment and tune your role till you (as security personal and your BASIS team) are comfortable.

    There are also fast and easy ways such as copying template and assign admin profiles, however question is what level of access is appropriate from your BASIS team's daily tasks prospective and have you already identify the risk associated with level of access which is in line with your organizations strategy.

    There is a reason why SAP provides its GRC tool set to manage Super access.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Whoa! I think responses are going a bit offtrack here...

      Firstly, thank you all for your responses.

      I am already evaluating responses from Prasad, Jurjen and Ramakrishna and will update/close the message accordingly once I am done.

      @ Fredrik Pettersson

      Thank you for your approach.

      We are already following this approach and I have posted another query about that here (still waiting for a response though) - [Monitoring client 000 instead of active client|Monitoring client 000 instead of active client;

      If you could address this query, then we intend to rollout this approach henceforth.

      Once again, thanks to all.