Solved: Restricting import of new developments to producti...

Former Member · ‎04-21-2006

Dear All,

I hope I've hit the right forum. I am searching for a possibility to restrict import of new developments with STMS. We are currently heaving the situation that a developer with authorization for STMS and S_CTS_ADMI (IMPA, IMPS) is able to import every released transport.

Our management believes strongly in a 4-eye principle and therefore no developer should be able to import his own transports, while heaving the authorization to import transports of his colleagues. I haven't found something on how this scenario could be implemented so far (neither in SDN nor SAP Help).

I would be more than happy if anybody could give me a solution for our problem or at least some hints where to look for further information.

Thank you!

Best Regards

Simon

Former Member · ‎04-21-2006

Hello Simon,

Regarding the 4-eye principle you could have a look on the transport manager by realtech (www.realtech.com).

I dont't think that it's really possible to restrict the usage of STMS via authorizations properly. An other way would be to centralize STMS and put the check to the level of creating / releasing transport orders. Some customers did that; but the drawback is, that the developer had to wait for a transport order before they could even begin working.

Regards Wolfgang

Former Member · ‎04-21-2006

Hello Simon,

Regarding the 4-eye principle you could have a look on the transport manager by realtech (www.realtech.com).

I dont't think that it's really possible to restrict the usage of STMS via authorizations properly. An other way would be to centralize STMS and put the check to the level of creating / releasing transport orders. Some customers did that; but the drawback is, that the developer had to wait for a transport order before they could even begin working.

Regards Wolfgang

Former Member · ‎04-21-2006

I thought these authorizations are strictly under the control of a few administration people who will import the transports after the necessary approval is given. I haven't seen developers having that access to import any transports, forget about their own. This is not a recommended approach.

Normally, a developer creates a transport and releases it upon the completion of development. It then goes through approval process(manual or workflow). Upon approval the transport is imported into QA or Production environments(again either manually or workflow triggering).

Have you thought about restricting the access to import a transport just to a few. This is separation of duties 101.

Former Member · ‎04-26-2006

Thank you for your answers. I know that the best solution would be to employ somebody for QA and create a real seperation of duties (such a process had been in place until the person responsible retired). Sadly our management is not willing to employ somebody else. Also the use of STMS is mandatory within the company and we're not able to replace it by another tool.

But if there is no technical solution for the problem we'll have to find one on the organizational level.

I've just been wondering if there is a possibility on the technical level we haven't taught of.

Best Regards

Simon

Former Member · ‎04-26-2006

You might try running STMS from another ABAB that checks that the transport is not owned by the person running the new transaction. You'd also have to do some sort of mod to STMS (hopefully there's an exit where you can do this checking) to make sure it's only run from the new program.

Rob

Restricting import of new developments to production