on 11-30-2010 3:54 AM
Dear All
pls let me know how to approach a fresh role design for Firefighter access to functional teams.
i don't want to copy SAP_ALL profile or NEW into my role,just want to know the exact set of critical tcodes which needs to be made available in the firefighter roles.
regards
Naveen
Hi,
Very good question !!! and the answer is: You should only need to add those tcodes which are applicable for the functional Team.
Regards,
Dipanjan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
thank you all for the response.. think that they is going to be lot of disucssions with the functional teams.. i hope they know what they want
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Moved to the GRC forum as the question is FireFighter specific.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Naveen,
Yes. I agree with Alex. The requirement should come form the Functional teams. They are the right people to identify the critical tcodes for which access should be restricted thru elevated access.
Regards,
Raghu
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
in PRD box, some access are restricted and should be allowed only via Firefighter.
e.g. PFCG , SM30, SE16 ... so on
you only need to create firefighter roles for this purpose
same goes for functional side also
don't create roles like one for all FI/CO tcode, one for all MM tcodes......
discuss with you business security team leads.......
or check all action level rules for any functional area in RAR rule set.... that will give you pretty good idea which tcodes are critical and conflicting, so you can create roles accordingly.
so basically we allow conflicting tcode in any firefighter role.
regards,
Surpreet
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Surpreet,
I don't agree with your statement. FF IDs are not an alternative to your SODs. In such case, you will end up with creating 1000's of FF IDs in your system. Rather, it is the business decision to create specific FF IDs with critical authorizations which impact the system/functional setup. Normally the customization/IMG settings.
Also, the FFIDs will be created for a specific risk such as table maintenance, number range maintenance etc.,
Regards,
Raghu
>
> pls let me know how to approach a fresh role design for Firefighter access to functional teams.
>
Before asking on a forum, speak to your func teams and ask them what they need.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Naveen,
Providing wide access thru FFIDs is not at all recommended and if you copy SAP_ALL, SAP_NEW profiles into a role, it gives more access and will not serve the purpose of creating FFIDs.
My suggestion would be to idenify the functional transaction that you would like to provide thru the elevated access and create a FF role. Ensure that the tcodes that werre added in the FF role are not available thru the general roles, so that your users will have to use the FF IDs.
Hope this helps!!
Regards,
Raghu
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.