- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- Tailor SAP_ALL to restrict system authorizations
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Tailor SAP_ALL to restrict system authorizations
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-30-2008 4:33 PM
Hello All,
I am new to this forum and I feel its one of the best forum I looked at.
I moved to infra.. to Security.
Its my first question, hope you guys would help me I tried searching the pages but did not find the answer..
Question:
My task is to create a role with SAP_ALL and tailor it to suit the restrictions.
My manager gave me about 200 Tcodes(system auth.), developers and config guys should be restricted to.
I was trying to maintain ranges in S_tcode, however its getting complex for me to decide on ranges..
Guys you think am I doing correct or please suggest me in this..
Thanks all..please help me..
Anil.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-30-2008 4:48 PM
Hi Anil
When you say "My manager gave me about 200 Tcodes(system auth.), developers and config guys should be restricted to"
Do you mean that you have been given 200 tx that they shld be able to run?
If that is the case then you are better creating a role containing those 200 transaction codes.
The problem with SAP_ALL is that you can make big changes to the S_TCODE ranges, but the users have enough underlying access to perform the functions that you are trying to restrict in the first place.
The best approach is to get a list of transactions that the users require and build roles from there. It is a bit painful the first time you have to create those roles but will generally be a lot more secure.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-30-2008 5:17 PM
In addition to Alex:
Don't be tempted to put S_TCODE ranges in your roles. It does save a lot of time during the build but will eventually backfire in maintenance and with audits.
You may want to look at the standard SAP delivered roles and compare the transactions in there with the list you've got. Maybe some of those fit part of your needs and then you'd only have to copy them to your namespace.
On the other hand, the creator of the 200 TCODE list must -at some point- have had an idea what they're meant for. That should give a good clue how to group them in roles.
HTH
Jurjen
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-30-2008 5:49 PM
I really appreciate your quick reply, I think you got my question in reverse. My apologies! I think I was not clear with my question..!
I meant to say " the users should be restricted to those 200 tcodes". As it is sandbox my manager thought is users should do all the research except the tcodes which she provided me.
My task is to 1) Create a role with SAP_ALL and tailor it in a way where the role should have NO ACCESS to the list of Tcodes(those 200 Tcodes, basically they are basis tcodes).
Hope I was clear this time.
Thanks in advance and I really appreciate anykind of help, look forward your thoughts...!
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-30-2008 6:44 PM
Hi Anil,
Thanks for clarifying that point & providing the extra info.
As it's your sandbox then you can usually get away with a bit more of a loose approach. In most sandbox environments users tend to get SAP_ALL
What is common in your situation......
1. Classify the 200 tx into groups of functionality.
2. Identify the authorisation objects which give the real access to those functions (see my previous points about S_TCODE security)
3. Remove access to the auth objects which correspond to those groups of functions. This will give you far more control than restricting T_CODE ranges.
If you really want to, then you could create some ranges to exclude some of the most obvious codes e.g. SCC4, SU01 etc. It won't make it any more secure though........
In a sandbox you may want to think about restricting things like transports (S_TRANSPRT), System Admin stuff (some S_ADMI_FCD functions), S_RZL_ADM, some of the S_USER objects - I think you get the gist of it, there are lots more.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-30-2008 7:29 PM
That was a quick reply, I got a picture of where you coming from
Just for my information, if I want to restrict below tcodes;
SMET
SMETDELBUFF
SMETDELPROG
SMLG
SMLI
SMLT
SMLT_EX
SMLT_OLD
SMME
SMOD
SMOMO
SMQ1
SMQ2
SMQ3
SMQA
SMQE
SMQR
SMQS
SMT1
SMT2
Is my ranges look logical to you in S_Tcode;
TO FROM
SMA* -
SMD*
SMEA---SMES
SMEU---SMEZ /restricts SMET, SMETDELBUFF, SMETDELPROG/
SMF---SMK /restricts SMLG, SMLI, SMLT, SMLT_EX, SMLT_OLD, SMME,........../
SMU---SMZ
Please dont mind if I am wrong, I am learning so hope you understand my curiousity.........
Thanks a lot Alex...!
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-30-2008 10:40 PM
