03-09-2009 10:16 AM
Dear Firends,
I have created one role from SAP_ALL but in audit that is not acceptable.
Can you please suggest better way for creating roles for our MM, SD , FI and Abapers.
Please help me out in the above issue.
Thanks a lot in advance.
Regards
Jay
03-09-2009 6:20 PM
Hi,
Basically you can copy the roles from SAP menu structure. For MM, select total MM part in the logistics. they also need some transactions other than MM part. Best to way to get list is from their favorites. they can download and send it to you. So you can copy them. Like wise you can create for others. Also they need authorization for spro.
Thanks,
Gowrinadh C
03-09-2009 10:24 AM
> ....but in audit that is not acceptable.
Not acceptable in DEV, QAS or PRD?
03-09-2009 10:29 AM
As a former security consultant I always find this question quite funny.
I always ask my colleagues what authorization they need. And I always get the same answer.
"SAP_ALL"
So my response is then, tell me which transactions you need and I make sure you can run it!
That does not work either.
So to try to answer your question.
You have to find out how to define the roles neccessary for the developers.
You can do that by restricting everything and then allowing just transaction by transaction.
Another smart way is to look at some of the predefined roles available in the system. They will not match your need completely, but it will give you quite a good start.
In our new ECC 6.0 system there are over 2500 roles that are delivered by SAP to serve as a template.
Good luck!
/fredrik
03-09-2009 11:16 AM
Dear Fredrik,
Already, have created one role for basis in dev with following following sap standard roles.
SAP_BC_AUTH_DATA_ADMIN
SAP_BC_AUTH_PROFILE_ADMIN
SAP_BC_BASIS_ADMIN
SAP_BC_BASIS_MONITORING
SAP_BC_BATCH_ADMIN
SAP_BC_BDC_ADMIN
SAP_BC_TRANSPORT_ADMINISTRATOR
SAP_BC_TRANSPORT_ADMIN_MINIAPP
SAP_BC_TRANSPORT_OPERATOR
But still am not getting authorization for SCC4 , stms_import.
can you pl suggest what is wrong??
Thanks in advance.
Regards
Jay,
03-09-2009 12:05 PM
Dear ,
After adding SAP_BC_CLIENTCOPY that problem is solved.
But how roles will be created for all other consultants.
Regards
NIrgun
03-09-2009 12:21 PM
How good your roles will be depends on the quality and experience of your consultants.
If they do not know what transactions they need, one can question if they know what to do with the transaction??
Any way the only way forward is as suggested create roles as good as you can and then add when ever there is need for wider access!
03-09-2009 6:20 PM
Hi,
Basically you can copy the roles from SAP menu structure. For MM, select total MM part in the logistics. they also need some transactions other than MM part. Best to way to get list is from their favorites. they can download and send it to you. So you can copy them. Like wise you can create for others. Also they need authorization for spro.
Thanks,
Gowrinadh C