09-27-2010 2:48 PM
Hello experts,
due our revision we have the demand to copy our custom context sensitve authorization object from the old authorization class to a new one.
Ist this generally possible? What are the impacts?
Any ideas?
Many Thanks!
Marco
09-27-2010 3:08 PM
> Ist this generally possible? What are the impacts?
I would think this is possible
My understanding would say that, If you have the earlier Z-Objects in the SAP defined object clasess - they will by default appear in SAP_ALL profile.
If you have a custom Object class and if your objects are moved to the custom class - SAP_ALL wouldnt have the Z-Object class listed (unless you regenerate SAP_ALL)
09-27-2010 3:11 PM
Hi,
Why want to change the Object class? Theoretically as well as practically it is possible but I hope changing a Object class is not required after a long period of usage. Since we don't need to maintain the Object class as a Security check point as such so there is not activity required in analysis and remediation phase after the change (even for HR object also).
But the Objects appear in it's Object class in the role authorization data. So you need to search the roles where the Objects are present and do a re-generation of the profiles by using option "Edit Old Status and Merge with New Data".
Regards,
Dipanjan
09-27-2010 11:19 PM
> due our revision we have the demand to copy our custom context sensitve authorization object from the old authorization class to a new one.
That is a strange revision (audit) demand... Did you challenge them whether they have ever done this before and survived as release upgrade?
Is SAP_ALL otherwise okay for them? For example that people can write their own programs or maintain PRGN_CUST to include Z-classes again...
Have you tried to simply remove all profile assignments to SAP_ALL and replace them with proper roles and restrict SAP*'s HR profiles to that which applies to all users which are not employees?
You are definately barking up the wrong tree here by moving SAP objects to Z object classes and expecting it to be secure...
Cheers,
Julius
09-28-2010 10:39 AM
>
> You are definately barking up the wrong tree here by moving SAP objects to Z object classes and expecting it to be secure...
Hi Julius,
I think one of us got this wrong, not sure who .........I thought the OP was mentioning about custom objects (my inference was Z-objects) and not moving standard SAP objects
09-28-2010 11:04 AM
Hi,
can't imagine, why revision could ask for such a change. The assignement to a class has zero impact on revisable events/processes, functionality etc. But nevertheless, if the 'Gods in black suits' require this....
So back to the original question....
I cant't imagine any impacts of changing the class (as long as we are talking about Z-objects and Z-classes....)
You can perform the change easily within SU21. Etner the object in change mode, cancel the where-used->change class->save.
b.rgds, Bernhard