Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Which auths for BASIS tasks?

Former Member

‎08-04-2009 3:06 AM

0 Kudos

We want to carry out BASIS support tasks on our customer's SAP systems (ABAP & Java)

They are not ready to provide SAP_ALL & SAP_NEW auths for this purpose.

What auths will be required to perform these tasks?

We intend to perform the std daily/weekly/monthly BASIS tasks such as:

Servers (SM51), processes (SM50), database (DBxx), O/S (ST06), Dumps (ST22), bkg jobs (SM37) and so on

(about 20+ tcodes)

It would be great if someone could provide links which we could refer.

Thanks in advance

14 REPLIES 14

Former Member

‎08-04-2009 4:51 AM

0 Kudos

Yes no customer allow the SAP_ALL and SAP_NEW profiles to any one on Production server. Do one thing ask their IT head to approve the creation of a New Role which will have the Tcode SM50/51/66, DB01 to DB21 etc., ST22, SM21,SM13,SM12, ST03N, STAD etc.

After creating the role assign to your self and other BASIS consultants in your team.

Thanks

Lokendra

Former Member
In response to Former Member

‎08-04-2009 8:14 AM

0 Kudos

Thanks for your response Lokendra.

Thats exactly what I need to know - Where can I find the roles/profiles for these auths?

Can you provide link/s where I can get this info?

One way is to go to each tcode and get the auth obj from /nSU53 but its a painful process!

Former Member
In response to Former Member

‎08-04-2009 8:54 AM

0 Kudos

Chk this - http://help.sap.com/saphelp_45b/helpdata/en/52/671326439b11d1896f0000e8322d00/content.htm

( Basis Authorization Components )

jurjen_heeck
Active Contributor
In response to Former Member

‎08-04-2009 10:48 AM

0 Kudos

In PFCG look for roles starting with SAP_BC* Copy the ones you need to your namespace and generate the profiles.

JPReyes
Active Contributor

‎08-04-2009 10:41 AM

0 Kudos

Moved to Security Forum

Former Member

‎08-04-2009 11:02 AM

0 Kudos

if they are ready to grant you full access for your servers.

Then please request access to these t-codes. SM21, ST22, ST01, PFCG, SU01, SM50, SM51, OS07, DB* (Database related t-codes)

No need to have access to SM59 and get access to SUIM t-code.

these are basic t-codes that you need to monitor or access your servers.

Hope this would help you.

Former Member

‎08-04-2009 12:07 PM

0 Kudos

Hi,

As a Basis administrator you should have the below access.

General maintenance read access means t-code which youu2019re using for monitoring the SAP systems.

Ex:- ST22, SM21,AL08..etc

SAP tech admin transactions example AL02, AL03, AL04.etc

And print support transactions example SP01, SPAD..etc

Please let me know if you want more help for this !

Thanks,

Bikshamaiah.G

Former Member

‎08-04-2009 2:10 PM

0 Kudos

Hi,

Go for the table AGR_Tcode where u can find out roles and tcodes assigned to them.

Try this ....it may help u to pick out the roles related to Monitoring.

Thanks

Ramakrishna.

fredrik_borlie
Contributor

‎08-11-2009 8:52 AM

0 Kudos

Another simple way to get started is to host the Basis guys in client 000 and give them the profile S_A.SYSTEM

This way you have separated the operations from the data and the auditors are happy.

And using S_A.SYSTEM profile you get a jumpstart on the role. You can use it as a template in PFCG.

/fredrik

Former Member

‎08-11-2009 2:03 PM

0 Kudos

Copy and customize the standard SAP role SAP_BC_BASIS_ADMIN - System Administrator according to your requirement

jurjen_heeck
Active Contributor

‎08-11-2009 2:24 PM

0 Kudos

Merv!

Former Member
In response to jurjen_heeck

‎08-11-2009 8:46 PM

0 Kudos

> 

> h1. Merv!

I sent him a note to read the manual and follow-up on the question...

Otherwise it is perhaps safer to just lock it before it leaves the road

Cheers,

Julius

Former Member

‎08-12-2009 3:33 AM

0 Kudos

Cons,

BASIS tasks are not limited to certain number of transactions and should be wide enough to cover most of the critical function with respect to security in mind. What your BASIS team would do in some critical situation when you may have restricted them to say 10 transactions.

In my view you need to define the requirements. Best thing to start with is to discuss with your BASIS team about the requirements. Once you confirm the requirements than start building role and let them test in staging environment and tune your role till you (as security personal and your BASIS team) are comfortable.

There are also fast and easy ways such as copying template and assign admin profiles, however question is what level of access is appropriate from your BASIS team's daily tasks prospective and have you already identify the risk associated with level of access which is in line with your organizations strategy.

There is a reason why SAP provides its GRC tool set to manage Super access.

Former Member
In response to Former Member

‎08-12-2009 8:22 AM

0 Kudos

Whoa! I think responses are going a bit offtrack here...

Firstly, thank you all for your responses.

I am already evaluating responses from Prasad, Jurjen and Ramakrishna and will update/close the message accordingly once I am done.

@ Fredrik Pettersson

Thank you for your approach.

We are already following this approach and I have posted another query about that here (still waiting for a response though) - [Monitoring client 000 instead of active client|;

If you could address this query, then we intend to rollout this approach henceforth.

Once again, thanks to all.