Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Transaction based security vs. Authorization based security

Go to solution
Former Member

‎03-10-2009 5:31 PM

0 Kudos

Hi All just a general question does any one know any pro's and con's about implementing transaction based security vs. authorization object based

Thanks Mike

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎03-10-2009 8:59 PM

0 Kudos

I have to do the security and the Sap consltant that was here said we are doing it through A/O's and all I did was ran a trace for the transaction codes and got the A/o's for each transaction. and we would populate the Auth Obj's with the relevant info co codes Plants... But like whats the difference if I just put in the tcode or the A/O's it sounds like the same thing.

4 REPLIES 4

Go to solution
jurjen_heeck
Active Contributor

‎03-10-2009 5:45 PM

0 Kudos

Can you please explain a bit more on your question?

If transaction based security in your opinion is about only controlling which transactions users can start and allowing all other values in other objects , thats about as secure as locking your front door and leaving all windows open.....

Go to solution
Former Member

‎03-10-2009 8:59 PM

0 Kudos

I have to do the security and the Sap consltant that was here said we are doing it through A/O's and all I did was ran a trace for the transaction codes and got the A/o's for each transaction. and we would populate the Auth Obj's with the relevant info co codes Plants... But like whats the difference if I just put in the tcode or the A/O's it sounds like the same thing.

Go to solution
jurjen_heeck
Active Contributor
In response to Former Member

‎03-11-2009 7:19 AM

0 Kudos

Well, the Tcode goes into an authoruization object as well, namely S_TCODE, so it always boils down to authorization objects. When properly configured, PFCG will propose all necessary authorization objects once you put a transaction in the role menu. On a new system, have a look at SU25 and it's documentation to setup PFCG.

In my opinion putting the relevant transactions in the roles first and fine tuning the authorization values afterwards is the right way to go. Tracing may help but is no substitute for testing.

Go to solution
Former Member
In response to Former Member

‎03-11-2009 8:49 AM

0 Kudos

I agree with you Jurjen Heeck. SAP has moved from maintaining profiles (maintaining directly authorizations based procedure) to role based approach. Performing trace and adding each object is also a time consuming process. Hence additing transacions directly to roles and fine tuning them is the best approach.

Thanks,

Gowrinadh