Solved: Role Based Security

Former Member · ‎07-13-2009

Hello. I am in the process of switching all users over to processed based roles, based on the default roles that come installed with SAP. Before now all users were generated a "personalized" role in which they were given ad hoc transactions. This has become unmanageable and because of SOX compliance we want to go toward a role based security model. Having around 1000 production users, this is a very tedious and time consuming task. We are not a very large support staff. I am the only Security Admin and there is one Basis Admin. 4 developers work at another site. Has anyone been through this exercise and ahve any tips or can point me to any tools to help with this massive undertaking?

Thank you,

Michael Jaynes

sdipanjan · ‎07-13-2009

As per my information there is no such Tool available to automate this process. You need to design the role structure in such a fashion that the implementation and post go-live administration effort is smooth enough. It's hard to make this Job quick and shortcut .....

You can get some idea to design a good role structure in the book "SAP Security and Authorization ".

Regards,

Dipanjan

sdipanjan · ‎07-13-2009

As per my information there is no such Tool available to automate this process. You need to design the role structure in such a fashion that the implementation and post go-live administration effort is smooth enough. It's hard to make this Job quick and shortcut .....

You can get some idea to design a good role structure in the book "SAP Security and Authorization ".

Regards,

Dipanjan

Former Member · ‎07-13-2009

Thank you for your prompt reply. I know the role creation cannot be automated. The way I am going about it currently is I am taking each user one by one and duplicating to a test user in our sandbox. Then I am looking at all transactions this user has assigned and assigning standard process roles to them accordingly and removing the old personalized role. There are always transactions leftover and there are always differences between the original user and the newly created test user. The standard comparison tool in SAP are lacking a bit.

sdipanjan · ‎07-13-2009

>

> Thank you for your prompt reply. I know the role creation cannot be automated. The way I am going about it currently is I am taking each user one by one and duplicating to a test user in our sandbox.

Here I would like to give one suggestion to reduce your work load. Do not create Test ID for each of your existing user. I hope you are going to use Ref-Der role concept. So, prepare Composite roles by using the Derived roles which will represent a Position or Task of a specific Position which is hold and processed by an user.

Now create Test ID for each Position those which are unique in nature. Also create a Special Display role which will contain specific set of TCodes, Reports etc.. (for e.g. SU53, SU3 etc.) and assign that to all Composite roles.

>Then I am looking at all transactions this user has assigned and assigning standard process roles to them accordingly and removing the old personalized role. There are always transactions leftover and there are always differences between the original user and the newly created test user.

>

Try not to provide sufficient authorizations in one shot. Keep tracing each Position (user also need to co-operate with you) and then provide exact required access.

>The standard comparison tool in SAP are lacking a bit.

Use the TCode Role_Cmp to get the difference. This is really good.

Regards,

Dipanjan

jurjen_heeck · ‎07-13-2009

This looks like a purely technical approach to me and in my opinion it is not the best way to go.

You should (but I agree you'll need some extra hands for that) interview your users as well to understand which tasks they perform in the system. That will allow you to build task-related roles which then can be bundled into function-related composite roles. A user has a function (composite role) which contains tasks (single roles) which need one or more transactions.

I consider the SAP standard roles not to be much more than a starting point and hardly ever use them.

Talking about the standard roles, do please copy them to your own namespace and use the copies as the originals may be overwritten in upgrades, without any prior warning.

Edited by: Jurjen Heeck on Jul 13, 2009 7:25 PM