cancel
Showing results for 
Search instead for 
Did you mean: 

Configuring Solution Manager: Alternative Role to SAP_ALL

Former Member
0 Kudos

This is a general question regarding configuring Solution Manager and note 834534. I am configuring Solution Manager 7.0 at a client site. The main components that I am configuring are on the Monitoring and Operations side; for example, System Monitoring, Service Desk, Issue Management, and Change Management for Maintenance Optimizer. CHaRM will follow later on. Additionally, the client would like to use the project side of Solution Manager.

When I took training for Solution Manager from SAP, the SAP instructor advised the class to have SAP_ALL when configuring Solution Manager The problem I am having is that the client will not issue me SAP_ALL in the Solution Manager instance, regardless of the recommendation in note 834534. I can understand the client's reluctance to issue SAP_ALL, even though Solution Manager is not a financial system in of itself, however, I have found that I am constantly having to ask for authorizations as I step through the wizards and the Scenario-specific settings. When I run into issues which require further investigation by running transactions to check certain settings that are not specifically tiedd to a wizard or scenario-specific setting transaction, I run into further delays as I ask for additional authorizations to troubleshoot issues.

We have implemented the roles and assigned them to my ID in Solution Manager as outlined by the SAP Solution Manager Security Guide to the fullest extent possible; and I have been issued "Basis Roles" that the client issues to their Basis team. Regardless of these actions, I still run into authorization issues.

My question is, apart from the SAP Solution Manager Security Guides recommendations (which does not mention SAP_ALL), is there a role being developed, or has been developed that can be assigned to the Solution Manager configurator in lieu of SAP_ALL (as per note 834534)? I would think that this issue has been raised before, particularly since many companies have implemented SOX controls and are skittish about issuing SAP_ALL.

Your feedback is most appreciated.

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

we also dont have SAP_ALL as well and can work perfectly with SolMan

you should check the WorkCenter documentations as per http://help.sap.com/saphelp_smehp1/helpdata/de/40/8ac473d40943ddb23def12bdb33437/frameset.htm

Basically you can assign different Roles for the different WorkCenter Scenarios

Also check #1236420

https://websmp105.sap-ag.de/~sapidb/011000358700002004032008E

Nesimi

Former Member
0 Kudos

Thanks for the reply, Nesimi.

While I appreciate that you do not use SAP_ALL, is that the case when you are configuring a brand new, clean system? Are you using the Configuration Wizards with out SAP_ALL? I ask this because when I ran the first configuration wizard, one of the steps is to create a "configuration user", which creates a user with SAP_ALL. However, I cannot use that wizard generated user ID because it has the role SAP_ALL.

In general, I am operating on 3 sources of information that says I need SAP_ALL to configure the system (not necessarily to operate it):

1. An SAP Instructor for the Solution Manager Operations and Monitoring Class

2. The IMG Activity "Create Configuration User" documenation in SPRO

3. Note 834534

I will review the english version of the link http://help.sap.com/saphelp_smehp1/helpdata/de/40/8ac473d40943ddb23def12bdb33437/frameset.htm that you have thoughtfully provided.

With respect to note 123640, I am not sure if that solves my problem or answers the fundemental question that I have in that given the 3 sources I quoted above. It seems to me that SAP's approach in indicating clearly that they prefer that the configuration user should have SAP_ALL is flawed given today's corporate governence policies. Clearly this recommendation is only for the initial configuration, and SAP_ALL can be taken away and replaced by the roles and recommendations in the SolMan security guide; to maintain Solution Manager. But when it comes down to the question "what do you need to configure Solution Manager, because we won't give you SAP_ALL", I am hard pressed to give an answer despite literally spending hundreds of hours researching "documenation" which does not give clear cut answers. I think SAP needs to address this issue instead of taking the easy way out and saying you need "SAP_ALL" as illustrated in the 3 sources of readily available information cited above.

Former Member
0 Kudos

Hello Greg,

the one and every answer I get from SAP, from SAP Consultants, from people who dont have an understanding of Security is always (and probably will always be) that they need SAP_ALL for their work.

In our world (I am working at a Company that has to stick to SOX rules) nobody has SAP_ALL and we can all work on what we are supposed to do.

When we get a new System we create as DDIC user our own Client 000 --> 100. Than we login with SAP* and create our first own user who has the Role by which he can create other users and maintain Roles. By that very first user we create users for our SAP Basis Team which get Roles from a predefined template that has many S_* profile-like authorization assigned. Once this is done SAP* is locked (login/no_automatic_user_sapstar=1) and Basis Team as well as Security Team have only the dedicated Roles they need for their tasks. After that we have to evaluate which authorization SAP Solution Manager users like SOLMAN_ADMIN or SOLMANSMA/SOLMANTMW etc. has to have. This is basically taken from help.sap.com or from OSS Notes. If additional authorizations are needed which are not documented by SAP (that happens in very particular for JAVA), we have to reproduce the error and run a authorization trace at that time, which gives us the missing authorization objects

regards

Nesimi

Edited by: Nesimi Buelbuel on Apr 29, 2009 7:38 AM

Former Member
0 Kudos

Nesimi,

it's not that the consultants need SAP_ALL or don't understand the need for security, it's that they hate wasting all that time waiting for proper authorizations. 😛

Answers (3)

Answers (3)

Former Member
0 Kudos

Just as a follow up for the community and to illustrate how there is no consensus on this topic...the following is a reply to the OSS message I placed and the response from SAP:

Message 416354 / 2009

30.04.2009 - 15:10:05 CET - Reply by SAP

Dear Greg,

No currently there are no plans to generate or create a role as parallelto SAP_ALL in Solution Manager.

The note is still valid and you require SAP_ALL for configuring SolutionManager.

With Warm Regards

Amit Devale

SAP Active Global Support - Netweaver Web Application Server

Things that make you go, "hhhhmmmm......"

Former Member
0 Kudos

Actually, Jason hit the proverbial nail on the head. Apart from my harping on poor documentation from SAP (after all, it is they who say you "need" SAP_ALL in the IMG and in note 834534); but the time wasted decyphering what authorizations that are needed does waste alot of precious time, at the clients expense.

I didn't "want" SAP_ALL, I was just going by the readily available documentation from SAP. The time I wasted researching this topic cost the client alot of money, and it cost me alot of money; since I did not bill for all the time that I spent researching ways around SAP's "recommendation of SAP_ALL. That time could have been spent actually configuring the system and delivering a product to my client.

This is a prime example of how consultants can get a bad rap and get labeled as "over-paid", when it is not necessarily deserved.

Thanks Jason!

Former Member
0 Kudos

This is an explaination that I can swallow!

Clearly, there is documentation out there which explains this, but it is scattered here and there and not consolidated and easily accessable. When undertaking a Solution Manager configuration mini-project at another client, they issued a profile that was informatlly called SAP_ALMOST_ALL, and as such, configuration was a non-issue. In this environment, there is no such role. Since that is the case, typically a configurator is going to look at the documentation contained in the IMG, and if that is not sufficient, a notes search quickly follows. For me, the IMG step "Create Configuation User" documentation said assign SAP_ALL, and the notes search turned up note 834534, which "confirmed" the documentaion.

I think that in the final analysis, SAP_ALL from the documentation contained in note 834534 and in the IMG in particular is the "easy answer" from SAP, and does not get granular enough in today's corporate IT environment (i.e., SOX controls). Clearly, SAP's note and IMG documentation should be updated to reflect what is really needed and references to SAP_ALL should be taken out.

The exercise we went through, since there is no SAP_ALMOST_ALL here ended up costing a fortune in the long run. This could have been avoided if the IMG documentation and note 834534 were written far more accurately.

I appreciate your answer, that was good stuff.

Thanks!

annett_michel
Explorer
0 Kudos

Hello Greg,

please check out section 6.3.3 in the Security Guide for SAP Solution Manager EhP1 and SP19 on the Service MArketplace: http://service.sap.com/instguides -> SAP Components -> SAP Solution Manager.

Here, you find a description of how you can build your own "Customizing" role based on an IMG project.

In this case you could avoid SAP_ALL, but only for configuration purposes. Any further transactions than those included in IMG must be added to the according user in a separate additional role.

Cheers,

Annett