Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

User Wise Role

Go to solution
Former Member

‎09-16-2009 5:44 AM

0 Kudos

Hi Experts

Initially for few months we have kept all authorizations (expect SPRO) open to all Users due to various reasons.

Now, we have data, (ST03) about which user has executed which T.codes and we are planning to create one role per user base on this information. We have 120 users right now.

However, adding all the Auth. Objects in the role for the Tcode is a challage and time-cosuming.

Question is -

What is the best & simplest way to create such a userwise role.

Thanks in Advance.

Sunil Kolambkar.

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎09-16-2009 6:45 AM

0 Kudos

Sunil,

Do you mean to say that for each user, you are going to create a seperate role?

If that would be the case, i ll suggest dont do like that?

Regards

Raja. G

4 REPLIES 4

Go to solution
Former Member

‎09-16-2009 6:45 AM

0 Kudos

Sunil,

Do you mean to say that for each user, you are going to create a seperate role?

If that would be the case, i ll suggest dont do like that?

Regards

Raja. G

Go to solution
Bernhard_SAP
Advisor
Advisor

‎09-16-2009 7:31 AM

0 Kudos

Hi Sunil,

the role concept is based on the assumption, that a role describes a work center, for example, bookkeeping clerk, printer admin, etc.

Creating roles for each user seperately is much work and is not very flexible. The better approach would be to get a concept based on the tasks of each user. Depending on the granulation of tasks you create then your roles which can be used for multiple users (for instance spooll authorizations for displaying own requests, maintain own preferences (SU3), etc.)

Based on different tasks, you will be more flexible and you will save some time as you can use several roles for multiple users.

b.rgds, Bernhard

Go to solution
Former Member

‎09-16-2009 8:46 AM

0 Kudos

Sunil,

There are no good reasons to leave the auths open and is a major sign that the implementation is significantly flawed. In this respect there is no way that you can rely on the log files ot identify what they users should do, only what they want to do and have done. If you do some searches on ST03 you will see that using it as your source will also give you some problems.

As Bernhard has said, you need to develop a role based approach which takes into account some form of access control and segregation of sensitive functions. This is the best & simplest way to create such a role. Like all other parts of an implementation, security comes at a cost to do it correctly and skimping on it will make a mockery of the other implementation work.

Go to solution
Former Member

‎09-16-2009 12:59 PM

0 Kudos

Hi Sunil,

For separating authorizations ffrom one user to another, you need to create separate roles for all.

But for saving time, you can find out the most common authorizations what are required for all users. And create a common single role that can be assigned to all user.. for example, some display authorization, access of transactions SU53, SU3 might be common to all.

And then create other roles as per the position of the users.

Assign that role and the common role to all.

This will save you some time.

Regards,

Sandip