05-10-2010 12:01 PM
Our System Info : ECC 6.0 with all major modules implemented including HR
We have one quick requirement as below
3 Roles Required
01. All HR Authroizations
02. All Authroizations except HR & BASIS
03. All "BASIS" Authroizations
Pl Help
Regards
05-10-2010 12:24 PM
> We have one quick requirement as below
I'd say you'll have to get a new set of requirements because this one is fairly worthless. Nobody needs "all".
But before we can properly help you on your way, what kind of system is it? dev/qas/prod? and what are the circumstances? Is it a sandbox system, early project phase or productive environment?
05-10-2010 12:24 PM
> We have one quick requirement as below
I'd say you'll have to get a new set of requirements because this one is fairly worthless. Nobody needs "all".
But before we can properly help you on your way, what kind of system is it? dev/qas/prod? and what are the circumstances? Is it a sandbox system, early project phase or productive environment?
05-10-2010 12:39 PM
Hi....Jurjen
The requirment is in Quality Server
Actually Our System user base is 13K and a Support Team of all different moduels of mySAP Business Suite is around 70 to 80. Most of the integration testing will be done by Support Team.
To bring down Integration time, We have got approved to categorize support teams as
BASIS - I was referring "All BASIS" Authroizations"
HR - I was referring "All HR Authroizations"
REST ALL CONSULTANT - I was referring " All Authroizations except HR & BASIS"
Can we get any Quick tips to realize these roles.
Rgds
05-10-2010 12:56 PM
If it's in qas the your client settings are very important. They can help prevent system changes. That means you need to protect those. Object S_ADMI_FCD and S_TABU_CLI are the ones to keep a close eye on.
For the rest I think there are very few 'quick' solutions other than building roles based on the SAP_ALL profile, not my favorite solution. For a qas server it may be acceptable depending on the sensitivity of data in the system. Some hints in this direction about objects to examine: S_DEVELOP should be read only, the S_USER* objects are only for the basis guys, as well as S_TRANPRT, S_CTS_ADMI. How to build roles based onexisting profiles has been discussed several times so the forum search should help.
As far as the separation between HR and non-HR is concerned I do not have a precise answer but you could experiment with disabling all objects which belong to the object class HR (see tabje TOBJ)
Once again, these are pointers to a crude solution which is most probabely not a secure one. You're on your own here and I welcome others to join in and add their 2 cents or more to the thread.
05-10-2010 1:22 PM
Hi PR
Jurjen's comment stands.
I'd say you'll have to get a new set of requirements because this one is fairly worthless. Nobody needs "all".
Your requirements are wrong. What you are providing will give the illusion of security. If you want further information search the forum for terms like:
restricting SAP_ALL
SAP_ALL display
This will give you lots of techniques for how you can do it and a lot more info on what problems there are with this approach regardless of system deployed in.
05-11-2010 5:37 AM
Hi
Requirement doesn't seems to be a good one. However you can create roles by importing the SAP Menu folders in the roles.
Steps listed below
Go to transaction PFCG--> Enter the role name and click on create --> Go to Menu tab --> click on "From SAP Menu".
This will include all the transaction from the SAP Menu folder, however you would still need to work with business analysts to identify the folders they would need access to from the SAP Menu.
Note: Granting access through SAP Menu folder will not provide configuration access to the users. No configuration access should be provided to anyone in quality server.
Thanks.
Anjan