Skip to Content
avatar image
Former Member

Maximum Number of tcodes in a role

I would like to know whether there is any SAP reccomendation on the maximum number of tcodes in roles. I have Security consultants colleagues who suggests that the maximum number of SAP transactions in a role must be around 40, though I have not found or heard anything from SAP or someone on such recommendations.

We are redesigning some large roles,and divding them with 40 tx each doesnt looks a good idea to me as they will result in lot of roles and managing them would not be feasible.

Can anyone share their experience regarding the same. Does SAP recommend anything related to it.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    Apr 07, 2011 at 12:45 PM

    Maybe you can try looking at your roles from the user perspective:

    - how many transactions does a user really use (or know how to use properly)? You can look this up in ST03N

    - if you divide these along business processes you will get a good idea how the roles should be cut (provided the users follow properly designed processes in the first place).

    A general number won't help you here - technical limitations are not your problem.

    Frank.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Sameer,

      I was "assured" that the key finance person would need access to all of the t-codes in a very long list - about 1300 in total.

      Checkig out what she actually uses, there are just over 30 that she uses at least once a day, another 8 she uses at least once a week, and another 7 she uses once a month. There are 4 she will use very occasionally, and I suspect we will find maybe another 2 or 3 she will use once a year (possibly a few more, but I doubt more than half a dozen).

      Although we haven't done the same work for all roles, I suspect we would find the same in several others.

      The problem is that once you have given someone access to a t-code, they will fight to keep it, even if they don't use it. Better to start with the absolute minimum, and then let them have the others, if they really will use them.

  • Apr 07, 2011 at 05:58 PM

    Role design is always subjective. There are many (who I generally strongly disagree with) who like to have 1-5 transactions in a role. SAP provides composite roles to help manage this.

    As Tony mentioned, actual usage is often much less than you think. A role with 200 tx may be suitable to cover a whole module but if it is for end users then is it likely that they will need all of that? Maybe some smaller roles would be more suitable as that better reflects the jobs that the majority of users will perform.

    There are many factors to consider and there is no "right" answer other than in security there is almost always more than one way to skin a cat....

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Bernhard Hochreiter

      Prepare the party hats for SU25 after an upgrade....

      LoL 😊

      Luckily those changes have the ability to unmerge the authorizations. I still believe that an unmerge function in general would be usefull.

      Anyway, to answer the question, I believe the limit is ((3950 - 2) / 41) x 150... or something like that, which translates to about 14 thousand transaction codes after which the party music stops... 😊

      Enjoy the weekend,

      Julius

  • avatar image
    Former Member
    Apr 10, 2011 at 08:53 AM

    Thanks everyone for the replies. I understood there is no such rule to restrict the maximum number of tocdes in a role. Rather, we should try to restrict the tcodes depending on the usage and the requirement of the module.

    Add comment
    10|10000 characters needed characters exceeded