- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- Activating SAP delivered business functions
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Activating SAP delivered business functions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-24-2009 10:07 PM
Based on SAP's documentation on how to activate SAP delivered business function(i.e. using transaction SFW5), I recommended to secure our ERP6.0 system, where no one can activate an SAP delivered business function unless they are assigned a new specific custom role containing the authorization object for SFW5.
Now my developers are telling me that this is not enough, they can see the SAP delivered business functions from SFW1 and SFW2. So I researched this, and I found the following SAP documentation page about Siwtch Framework transactions: http://help.sap.com/erp2005_ehp_04/helpdata/en/af/e8b540afc87c2ae10000000a155106/frameset.htm.
So my questions below are in the context of disabling access to activating SAP delivered business functions:
1) What is SAP's recommendations with regards to SFW1, SFW2: do I really need to block access to them as well, or is it enough to block access to SFW5 only and that will be enough to block users (who do not have to the above mention custom role) from activating a SAP delivered business function?
2) Is there something else I need to block, via SE80 or SE16?
I appreciate any help and reference you can provide.
Regards,
Tobi
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-24-2009 10:34 PM
Hi,
Basically the transactions SWF1, SWF2 and SWF5 uses function module RS_ACCESS_PERMISSION to check authorizations for object types SFBS, SFBF, SFSW and SF01 using well known authorization object S_DEVELOP. You can see it from the transaction SU21 as well. So if you don't give users authorization for these object types then they won't be able to activate the business function. This should work for all transactions unless SAP forgot to implement an authorization check somewhere. Usually the developer with access to SE80 have access to debugger as well. So it's impossible to restrict them from activating business function.
Cheers
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-24-2009 10:34 PM
Hi,
Basically the transactions SWF1, SWF2 and SWF5 uses function module RS_ACCESS_PERMISSION to check authorizations for object types SFBS, SFBF, SFSW and SF01 using well known authorization object S_DEVELOP. You can see it from the transaction SU21 as well. So if you don't give users authorization for these object types then they won't be able to activate the business function. This should work for all transactions unless SAP forgot to implement an authorization check somewhere. Usually the developer with access to SE80 have access to debugger as well. So it's impossible to restrict them from activating business function.
Cheers
- SAP Managed Tags:
- Security
