Skip to Content
Apr 04, 2012 at 04:02 PM

SAP R/3 : How to make a particular master role non-editable ?



My knowledge on Security of SAP is limited.

And while am reviewing a revamp of the existing roles of a new project on finance module.

I find that there are a few instances wherein,

there are master roles

- under which there are hundreds of derived roles.

And i find that each derived role is maintained subsequently. And independently. Thereafter.

May be the Master role was created some 6 years back. And new derived roles have been added over a period of time.

But maintained independently.

My understanding is that,

In a SAP Master Role you maintain all authorisation.

And in derived roles which are created under master roles, you generally maintain USERS.

So any change you do on the authorisation is done on the master role. Which gets reflected to all derived roles.

But there would be requirements wherein restrictions would be required to be given on derived roles.

So that there is proper segregation of duties on authorisation.

While i tried to review and understand the entire logic on the existing system,

the entire authorisation concept is built upon OU, org unit,

and all authorisations are maintained indirectly, based on postion of an employee, which is unique, (hire to retire)

Now they have branced over different countries.

And want to have a re-look on security of the existing system.

While reviewing all the roles on the existing set up which is on ECC 6.0 with oracle 10g,

So first thing i saw is that One single Fund management Master role.

Has some 153 derived roles.

And all derived roles are maintained independently.

Looking at this, I felt a bit uncomfortable.

Here i see a scenario where somebody mistakenly,

if they click on the master role and say percolate to derived role.

The entire existing will get shaken up. Which i dont want to happen even by mistake.

So am wondering if i could make any particular Master role to be non-editable.

or can i make that button of Percolate to derived roles - hidden from master role.

I do not know how internally things work within SAP.

I do not want any user - to touch any particular Master roles, which i decide to be non-editable.

Including BASIS users, it should give not authorised and ask for special login.

Is it really possible to do that ?

At a later date, if there is a requirement to add any derived role, under that master, let the system ask for permission.

Various reads on authorisation objects on SAP,

does not really HELP me understand as to

whether we could do this for ANY SINGLE Master role and make it non-editable or make the button to percolate to all derived roles to be greyed out,

BECAUSE it has many derived roles under it. Which should not be disturbed.

My question might sound ridiculous, but if anyone could guide me as to how to address this scenario.

S_USER_AUT - how to use this for the above ?