Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SAP_ALL in non-productive systems

0 Kudos

Hello SAP Security Administrators,

I have been searching (without success) for documentation or posts for a SAP security best practice for who should or should not have the profile SAP_ALL in a non-productive system. Is this typically left up to the individual company security policies? Is it a given that Basis will have SAP_ALL for administrative support? Are Security Admins allowed to have elevated privs in a non-productive system for research and troubleshooting?

We are trying to establish a standard for non-productive systems, so any input would be greatly appreciated!

Regards,

Janice

7 REPLIES 7

jurjen_heeck
Active Contributor
0 Kudos

I do not think there are real standards. Personally I consider using SAP_ALL a sign of utter lazyness because there is never a person who needs to access all functionallity in an ERP system.

The only valid occasions I know to use SAP_ALL is during upgrades but even then it's not a guarantee against surprises.

You are talking about non productive systems but that does not exclude systems with production data, something to consider.

Some thoughts:

Do you want people to influence developments and/or transports if that is not their task?

Do you want pepole to see sensitive testdata just copied from production?

Do you really think your system/landscape configuration will be safe if you have to rely on agreements? Transport routes for instance?

SAP_ALL is something I only allow in sandbox systems and only if they're being backupped at least weekly. That is to avoid heavy discussions when people destroy each others work by curiously hitting buttons and 'trying' transactions.

I am sure some others will have a few suggestions to add

0 Kudos

jurjen

i fully agree with you. no one schould heva sap_all in any system in a landscape. That is far to dangerous

0 Kudos

Thank you everyone for your input! I tried to award "Very Helpful" for everyone, but I was only allowed to select two replies.

Historically the Basis team has been allowed to have SAP_ALL in all non-Production systems and our secuirty team would like to re-evaluate whether that is a valid need.

0 Kudos

> Historically the Basis team has been allowed to have SAP_ALL in all non-Production systems and our secuirty team would like to re-evaluate whether that is a valid need.

The outcome of the re-evaluation should be pretty straightforward but I wish you lots of luck and perseverance trying to get 'the real world' to match this outcome

0 Kudos

This message was moderated.

Former Member
0 Kudos

My views are in line with those of Jurjen and Auke. No need for SAP_ALL to be permanently assigned to any users in the landscape.

0 Kudos

Hi, if you want best security practices then SAP_ALL should never be assigned to users.

You can beat this way around. Can create a one copying SAP_ALL and removing the unwanted called and then assign to the user.

SAP_ALL are general for BASIS Administrator while performing few activities(not for daily activities) once again I repeat this is not a BEST PRACTICES at all.