Solved: Level of security for developer in QAS

Former Member · ‎04-16-2009

Hi guys,

Recently the guy from security restricted my user in QAS, he removed sap_all.

I agree with that, but i need to be able to reproduce any error for any txn in SAP (Functional from every module except security).

so i need acces to developer txn plus every single txn from all modules.

any ideas of how to do that?

i dont want to ask avery time each txn!

tks in advance.

jurjen_heeck · ‎04-16-2009

To reproduce errors properly in a QAS system you should work with the same roles as the end-user who got the error in the first place. So, you'll need test users there, not a user with rights to almost anything. The errors may well be security-related......

I think your security staff should set up a test user for each functional role (function level) in this system, with a generic password so you can use those to run your simulations. Maybe with debugging rights and some read-only access to the abap workbench.

jurjen_heeck · ‎04-16-2009

To reproduce errors properly in a QAS system you should work with the same roles as the end-user who got the error in the first place. So, you'll need test users there, not a user with rights to almost anything. The errors may well be security-related......

I think your security staff should set up a test user for each functional role (function level) in this system, with a generic password so you can use those to run your simulations. Maybe with debugging rights and some read-only access to the abap workbench.

Former Member · ‎04-16-2009

I agree,

do u have any documents or something related to sap that should help me to justify this ?

tks

jurjen_heeck · ‎04-16-2009

I'm afraid not.

What you can do is search for testing documents/best practices/methods and the way they handle users and authorizations. Because that's what you are actually doing when reproducing a problem, testing.

Former Member · ‎04-17-2009

Hi

I believe the best way is creating a test user and assigning the end users profiles to reproduce error.

and we donu2019t find any such documents since the decisions are purely based on business process and policies of the respective company.

Former Member · ‎04-17-2009

Hi Javier,

Although they are considered highly restricted transactions, you might ask if you can be granted the SU01 and PFCG transactions so that you could then create test users and assign roles to them yourself. If it's an authorizations error then you could simply run an SU53 on the test user scenario. If it's a debug issue then that would require some different authorizations.

As was already stated, it will depend on the individual company and their security policies whether they would allow you SU01 and PFCG in their QAS system, as these are restricted transactions. However, they may be able to implement a business process, such as a "developer debug" user that has these transactions, but remains locked until you request it to fix a users issue. Then once you have completed your task the user can be locked again.

Hope this helps.

Former Member · ‎04-17-2009

Hi Javier,

Creating a test user and assigning authorizations to that test user as and when required will be a very good option. However you can also have a role with all the transactions from all the modules or a single role (for all the transactions from each module) for each module but having only display acess. The second option will be helpfull in solving the issues in some of the cases.

Regards,