Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Maximum Number of tcodes in a role

Former Member
0 Kudos

I would like to know whether there is any SAP reccomendation on the maximum number of tcodes in roles. I have Security consultants colleagues who suggests that the maximum number of SAP transactions in a role must be around 40, though I have not found or heard anything from SAP or someone on such recommendations.

We are redesigning some large roles,and divding them with 40 tx each doesnt looks a good idea to me as they will result in lot of roles and managing them would not be feasible.

Can anyone share their experience regarding the same. Does SAP recommend anything related to it.

1 ACCEPTED SOLUTION

koehntopp
Product and Topic Expert
Product and Topic Expert
0 Kudos

Maybe you can try looking at your roles from the user perspective:

- how many transactions does a user really use (or know how to use properly)? You can look this up in ST03N

- if you divide these along business processes you will get a good idea how the roles should be cut (provided the users follow properly designed processes in the first place).

A general number won't help you here - technical limitations are not your problem.

Frank.

7 REPLIES 7

koehntopp
Product and Topic Expert
Product and Topic Expert
0 Kudos

Maybe you can try looking at your roles from the user perspective:

- how many transactions does a user really use (or know how to use properly)? You can look this up in ST03N

- if you divide these along business processes you will get a good idea how the roles should be cut (provided the users follow properly designed processes in the first place).

A general number won't help you here - technical limitations are not your problem.

Frank.

Former Member
0 Kudos

Thanks Frank for the reply. We already have a a set of roles defined as per the Business processes. For e.g if we have 200 tx for MM module. I want to assign all the 200 MM tranasctions in a single MM role. But my colleague prefers to divide the roles into small roles with 40 tx each. I am unable to understand this methodology to create five roles when a single role can do the task for us. The user list is also same for these 200 MM transactions to be assigned to them.

Former Member
0 Kudos

Sameer,

I was "assured" that the key finance person would need access to all of the t-codes in a very long list - about 1300 in total.

Checkig out what she actually uses, there are just over 30 that she uses at least once a day, another 8 she uses at least once a week, and another 7 she uses once a month. There are 4 she will use very occasionally, and I suspect we will find maybe another 2 or 3 she will use once a year (possibly a few more, but I doubt more than half a dozen).

Although we haven't done the same work for all roles, I suspect we would find the same in several others.

The problem is that once you have given someone access to a t-code, they will fight to keep it, even if they don't use it. Better to start with the absolute minimum, and then let them have the others, if they really will use them.

Former Member
0 Kudos

Role design is always subjective. There are many (who I generally strongly disagree with) who like to have 1-5 transactions in a role. SAP provides composite roles to help manage this.

As Tony mentioned, actual usage is often much less than you think. A role with 200 tx may be suitable to cover a whole module but if it is for end users then is it likely that they will need all of that? Maybe some smaller roles would be more suitable as that better reflects the jobs that the majority of users will perform.

There are many factors to consider and there is no "right" answer other than in security there is almost always more than one way to skin a cat....

0 Kudos

Hi,

one thing to consider for such 'big' roles is the effort at merging authorizations. Prepare the party hats for SU25 after an upgrade....

cheers, Bernhard

0 Kudos

Prepare the party hats for SU25 after an upgrade....

LoL

Luckily those changes have the ability to unmerge the authorizations. I still believe that an unmerge function in general would be usefull.

Anyway, to answer the question, I believe the limit is ((3950 - 2) / 41) x 150... or something like that, which translates to about 14 thousand transaction codes after which the party music stops...

Enjoy the weekend,

Julius

Former Member
0 Kudos

Thanks everyone for the replies. I understood there is no such rule to restrict the maximum number of tocdes in a role. Rather, we should try to restrict the tcodes depending on the usage and the requirement of the module.