Solved: Menu vs. Authorization roles

Former Member · ‎06-10-2009

Dear all,

I am checking the possibility to separate roles in order I have in one role a menu structure and another associated role for the authorizations.

I found out 2 standard SAP roles having something similar

SAP_AUDITOR_BA_FI_APMD

SAP_AUDITOR_BA_FI_APMD_A

Checking SAP_AUDITOR_BA_FI_APMD I realize here is a menu structure with "transactions" inside but on the authorization tab there is nothing.

How could do that if I would like to create my own roles? I mean when I add a transaction on the menu the authorization part will be updated automatically.

I will appreciate any suggestion to do that.

Thanks

FedeX

Former Member · ‎06-11-2009

Thanks guys for your remarks and comments.

I would like to understand only technically speaking how can I reproduce something that SAP already did in the case of these 2 standard roles

SAP_AUDITOR_BA_FI_APMD

SAP_AUDITOR_BA_FI_APMD_A

The reason or if this a good or a bad thing is something that I have to decide for my specific scenario that it is complicated to clarify here.

I was able to do something similar for composite role level, but to a single role level I am not allow to add standard transactions via PFCG and remove them later from the authorizations.

In the end I try to create a role that only have the menu part but nothing in the authorization part similar to SAP_AUDITOR_BA_FI_APMD

If you have some idea how can I do that , I will appreciate it.

Thanks,

FedeX

Former Member · ‎06-10-2009

Do you want to create two roles one with just the menu and other with just the authorizations?

Just out of curiosity, why do you want to do that? Itu2019s going to be quite a mess during upgrades and also role Changes are going to be painful.

Former Member · ‎06-10-2009

That is the concept of the AIS (Audit Information System).

The old report tree (transaction SECR) was not enough (people click on things they can see...).

The bugger is that auditors generally have audit check-sheets with "start report xxx from SA38" and "Check table xxxx from SE16" all over the place...

The AIS gives you SAP default menus to that information and you can add your own by copying them into your namespace. The real access is the authorization role though, as the user might be able to break out of the menu in some transactions - or generally via the ability to execute objects from the menu where they can control the object name.

It works for such things as the AIS, but is not scalable.

Your other options are SA38, SE16, etc...

Cheers,

Julius

sdipanjan · ‎06-10-2009

My personal opinion is, this is a stupid idea to use this design. If we return back to this concept then we are going to ignore the facility provided to us by SAP introducing Profile Generator.

Regards,

Dipanjan

Former Member · ‎06-10-2009

Note that the PFCG also now also offers "Authorization Defaults", which is basically the same thing, but within the same single role. This is a very good thing.

This gives you the option of pulling proposals from SU24 without them being visible (or executable...) via the menu navigation.

I agree with you that it is ideal to derive the authority from the menu tab (whether visible or not) and build roles at a higher level, and less of them too.

But try explain that to an auditor who wants to run a report in his check-list?

Actually, I heard auditors recently recommending composite roles for this reason to reduce the access of the end users to less profiles...

Unfortunately they turn up on a Monday morning without invitation and want access... It is more secure to hash up a menu for them and know what access they have behind it (test and transport that one!) than dish out SA33 etc and SE16 etc.

If they are IT auditors (as is often the case) then they will want to display some development objects. Forget about S_TCODE from that point onwards.... use the authorizations role values.

Hope that helps,

Julius

Former Member · ‎06-11-2009

Thanks guys for your remarks and comments.

I would like to understand only technically speaking how can I reproduce something that SAP already did in the case of these 2 standard roles

SAP_AUDITOR_BA_FI_APMD

SAP_AUDITOR_BA_FI_APMD_A

The reason or if this a good or a bad thing is something that I have to decide for my specific scenario that it is complicated to clarify here.

I was able to do something similar for composite role level, but to a single role level I am not allow to add standard transactions via PFCG and remove them later from the authorizations.

In the end I try to create a role that only have the menu part but nothing in the authorization part similar to SAP_AUDITOR_BA_FI_APMD

If you have some idea how can I do that , I will appreciate it.

Thanks,

FedeX

jurjen_heeck · ‎06-11-2009

> If you have some idea how can I do that , I will appreciate it.

>

How about:

build the menu role by filling the menu but do not go to the authorizations tab.

save the role and copy it for the role with authorizations.

go into the copy and edit and generate the authorizations.

delete the menu from the copy and save.

go to the authorizations tab of the copy, expert mode, edit old status.

generate.

Jurjen

Former Member · ‎06-11-2009

> In the end I try to create a role that only have the menu part but nothing in the authorization part similar to SAP_AUDITOR_BA_FI_APMD

I dont understand where you are stuck - it is exactly as you have described. See also Jurjen's suggestion on using the one to build the other in the beginning.

One role with the menu only and more flexible access to add / remove objects to it. Another with the authorizations only and less flexibility to change. No connection between the two, except that they are assigned to the same user.

Cheers,

Julius