The simplistic approach is to find out if that does that person require those transactions to perform their job?

If the Warehouse Admin really has to access all of that data then the transactions should be provided unless your business decides there is an unacceptable risk with it. If there is an unacceptable risk then the access needs to be mitigated and the data or ability to perform the task needs to be provided in a different way.

Hi Roam,

The role you mentioned also containing Admin and configurtion transaction, and this could be risky in production . Better you recheck all requirement with business or team needed this role again.

As a security consultatnt you need to clear the risk of available authorization in role to requestor.

Most Important: Also check object level access given in this role:

For example:S_TABU_DIS, S_TABU_CLI and client should not be open in production system.

CRYSTAL/RPTADMIN - Administer Crystal Report Content

RSH1 - Edit hierarchy initial screen

LISTCUBE - List viewer for InfoCubes

LISTSCHEMA - Show InfoCube schema

RSORMDR - BW Metadata Repository

RSPCM - Monitor daily process chains

SU01D - User Display

SE16 - Data Browser

RSCUSTV14 - OLAP: Cache Parameters

RSDIPROP - Maintain InfoProvider Properties

ST02 - Setups/Tune Buffers

RSRV - Analysis and Repair of BW Objects

RSDDSTAT - Maintain the BW Statistics Settings

SM51 - List of SAP Systems

RSDDSTAT - Maintain the BW Statistics Settings

RSRCACHE - OLAP: Cache Monitor

RSU3I - Display update rules

RSA1 - BW Administrator Workbench

BW Repository

RSDDV - Aggregates

RSISET - Maintain InfoSets

Loading Process

RSPC - Process Chain Maintenance

RSDBC - Connect External Database (DB Connect)

Monitor

RSMO - BW Monitor

SM50 - Work Process Overview

ST22 - ABAP Dump Analysis

RZ20 - CCMS Monitoring

This would be fine to check the system health status, but should be restricted to Basis team and ST22 with ABAP team

Settings

SPRO - Customizing: BW

SBIW - Customizing: BW as Source System .

COnfiguration changes are risky in production, So you need to check with business the requirement of same.

General

RSADMIN - RSADMIN Maintenance

RSBWREMOTE - Create Warehouse User

RSKC - Maintaining the Permitted Extra Characters

Same maintenance transaction, need to check again, if that particular change is not transportable

Monitor

RSCUSTV6 - Threshold Value for Data Loading

RSCUSTV2 - Wait Time Monitor

RSMONMAIL - Mail Addresses for Monitor Assistant

RSMONCOLOR - T. Light Color in Mon. if No Data

Restrict to Monitoring team...

Hope this helps

Edited by: connecpk on Feb 1, 2010 5:17 AM