Solved: Restricted access to functional teams

Former Member · ‎03-07-2011

I am trying to restrict the access of IT functional consultants in the Quality system as currently they have change access there. I would like to know whether creating one single role with display access(copying from sap_all profile and exclude basis objects) is the good solution as specificed in the below post. But this will provide the dispaly access to all the master data of the quality system which is copy of production master data. Is providing functioanl team access to display all to Production data is the security threat.

To summarize, what access should the functional team members should have in quality and production systems.

I have already gone through search forums and found the below post from Kunal to be relevant, but not sure this is the right approach.

Thanks in advance,

Sameer

Former Member · ‎03-07-2011

Sameer,

I would go for a customized role by selecting the required nodes in spro and then restricting the activities as per the need basis.

or, you can go for the solution provided in the post you mentioned, please remember that would be common role for all functional guys.

Thanks,

Brahmeshwar

Former Member · ‎03-07-2011

Sameer,

I would go for a customized role by selecting the required nodes in spro and then restricting the activities as per the need basis.

or, you can go for the solution provided in the post you mentioned, please remember that would be common role for all functional guys.

Thanks,

Brahmeshwar

Former Member · ‎03-07-2011

Brahmeshwar, Arpan,

Thanks for the replies. I will try to modify or create the new role to provide the access. The only thing I wish to know from security point of view what should be the access provided to functional team. Can we give them change access in Quality system or it has to be restricted to display. Can we just copy the sap_all into new role and change the activity to 03 for providing display access to all transactions.

Former Member · ‎03-07-2011

Sameer,

About the access to be provided to the functional team, it all depends on how the security is defined in your project, usually Quality would be refreshed with production data so that the functional guys can test\work on production data which they cannot do in production directly due to various restrictions. Being a security person, we should get the requirement from the business or management as what needs to be restricted and the roles needs to be built accordingly.

For creating customized role, please refer to the below link

Thanks,

Brahmeshwar

Former Member · ‎03-08-2011

Thanks for the reply. This way we will try to restrict the access. Jut wish to know how about the HR Data. How we can restrict that as its critical and consist of payroll and other HR related data.

Former Member · ‎03-10-2011

Dear,

As HR Data is critical you can remove HR authorization group with the HR table access through the object S_TABU_DIS with respecitve authorization group. and you can provide the same to HR consultant with another role. For functional consultant also you have to restrict them with their respective modules.

Regards,

Shrinivasan. KV

arpan_paik · ‎03-07-2011

Yes, SAP tree structure is a good place to start as mentioned above. These can even be fine tuned provided a good testing been carried out. On master data display, consultant should be having the same as during support that would be require. But if the data is too senstive and customer has an object to provide that access to consultant then those specific cases can be restricted. But these will be handful case only.

Regards,

Arpan Paik