Solved: Flooding & controled authroizations in Quality Se...

pr_srinivas · ‎05-10-2010

Our System Info : ECC 6.0 with all major modules implemented including HR

We have one quick requirement as below

3 Roles Required

01. All HR Authroizations

02. All Authroizations except HR & BASIS

03. All "BASIS" Authroizations

Pl Help

Regards

jurjen_heeck · ‎05-10-2010

> We have one quick requirement as below

I'd say you'll have to get a new set of requirements because this one is fairly worthless. Nobody needs "all".

But before we can properly help you on your way, what kind of system is it? dev/qas/prod? and what are the circumstances? Is it a sandbox system, early project phase or productive environment?

jurjen_heeck · ‎05-10-2010

> We have one quick requirement as below

I'd say you'll have to get a new set of requirements because this one is fairly worthless. Nobody needs "all".

But before we can properly help you on your way, what kind of system is it? dev/qas/prod? and what are the circumstances? Is it a sandbox system, early project phase or productive environment?

pr_srinivas · ‎05-10-2010

Hi....Jurjen

The requirment is in Quality Server

Actually Our System user base is 13K and a Support Team of all different moduels of mySAP Business Suite is around 70 to 80. Most of the integration testing will be done by Support Team.

To bring down Integration time, We have got approved to categorize support teams as

BASIS - I was referring "All BASIS" Authroizations"

HR - I was referring "All HR Authroizations"

REST ALL CONSULTANT - I was referring " All Authroizations except HR & BASIS"

Can we get any Quick tips to realize these roles.

Rgds

jurjen_heeck · ‎05-10-2010

If it's in qas the your client settings are very important. They can help prevent system changes. That means you need to protect those. Object S_ADMI_FCD and S_TABU_CLI are the ones to keep a close eye on.

For the rest I think there are very few 'quick' solutions other than building roles based on the SAP_ALL profile, not my favorite solution. For a qas server it may be acceptable depending on the sensitivity of data in the system. Some hints in this direction about objects to examine: S_DEVELOP should be read only, the S_USER* objects are only for the basis guys, as well as S_TRANPRT, S_CTS_ADMI. How to build roles based onexisting profiles has been discussed several times so the forum search should help.

As far as the separation between HR and non-HR is concerned I do not have a precise answer but you could experiment with disabling all objects which belong to the object class HR (see tabje TOBJ)

Once again, these are pointers to a crude solution which is most probabely not a secure one. You're on your own here and I welcome others to join in and add their 2 cents or more to the thread.

Former Member · ‎05-10-2010

Hi PR

Jurjen's comment stands.

I'd say you'll have to get a new set of requirements because this one is fairly worthless. Nobody needs "all".

Your requirements are wrong. What you are providing will give the illusion of security. If you want further information search the forum for terms like:

restricting SAP_ALL

SAP_ALL display

This will give you lots of techniques for how you can do it and a lot more info on what problems there are with this approach regardless of system deployed in.

Former Member · ‎05-11-2010

Hi

Requirement doesn't seems to be a good one. However you can create roles by importing the SAP Menu folders in the roles.

Steps listed below

Go to transaction PFCG--> Enter the role name and click on create --> Go to Menu tab --> click on "From SAP Menu".

This will include all the transaction from the SAP Menu folder, however you would still need to work with business analysts to identify the folders they would need access to from the SAP Menu.

Note: Granting access through SAP Menu folder will not provide configuration access to the users. No configuration access should be provided to anyone in quality server.

Thanks.

Anjan

Flooding & controled authroizations in Quality Server