Solved: Production Support Roles

Former Member · ‎09-11-2009

Hi Guys,

Can anyone please guide me or route me to the right direction to collect right t-codes for (Basis, security and Developer) support roles. I know the major t-codes for the above mentioned support roles. But I do like to know if I can get the correct or at least 80% to 90% t-codes that would be use in production.

Thanks in advance

Faisal

Former Member · ‎09-11-2009

Take help of SAP templates while deciding and creating your custom roles. That is why they are there for ..for example ..

SAP_BC_AUTH_DATA_ADMIN Authorization Data Administrator

SAP_BC_AUTH_PROFILE_ADMIN Authorization Profile Administrator

SAP_BC_BASIS_ADMIN System Administrator

SAP_BC_BASIS_MONITORING System Administrator - Display Monitoring Data

SAP_BC_BATCH_ADMIN Background Processing Administrator

SAP_BC_BDC_ADMIN Batch Input Administrator

SAP_BC_DWB_ABAPDEVELOPER ABAP Developers

SAP_BC_DWB_PROJECT_MANAGER Development Project Leader

SAP_BC_DWB_WBDISPLAY ABAP Developer: Display Authorization

SAP_BC_ENDUSER Noncritical Basis Authorizations for All Users

Former Member · ‎09-11-2009

Development access should not be there in production system. Basis and Security tcodes can be googled.

Former Member · ‎09-14-2009

Thank you so m,uch guys, Really helpfull information,

I do have some confussion about Developer access in production. I guess they need at least little bit of access in production because they are the one who's going to use custom transaction that they created in Dev for Conversion. I'm not sure why we shouldn't grant access to Developter even though my developer sadi that some of the conversion custom tcodes they created they need it in production.

please provide your feedback

Thanks in advance

Faisal

Former Member · ‎09-14-2009

as ageneral rule ONLY give display access to these people in PRODUCTION. And then wait for them to give you TRX they need including a reason and if in doubt have a manager approve before granting the access.

Basis consultants do need wide acces BUT NEVER to business TRX

Former Member · ‎09-14-2009

Hello Faisal,

Simply have a list of illegal tcodes and NEVER give them SAP_ALL, even if the ask for it. If they do ask for it or say that they cannot work without it, then take their DISPLAY_ALL access away for 1 week as punishment.

Kind regards,

Julius

Former Member · ‎09-11-2009

You will be better off relying on the SU24 proposals that trying to do it on your own, to be honest.

Choose the transactions carefully and try to stick to the standard SAP roles in copies of your own, and have a list of objects (with values) which are not allowed in some systems of the landscape to do a sanity check on it.

Eventually you can tune SU24 to your requirements. Please read the documentation on the transactioon (and the FAQ thread at the top of the forum).

Cheers,