08-30-2011 12:38 PM
Hi,
We have a developer requesting transaction SWO1 in production. The only roles with this transaction with users currently assigned are BASIS roles. We use custom roles only, no SAP roles. Our concern is the change/create functionality of this transaction that we don't think our auditors would approve of. I'd appreciate some feedback regarding allowing users this transaction in production? Also, is there any way to turn off the change and create functionality of this transaction? I searched the SDN security before posting my questions.
Thanks,
John
08-30-2011 1:06 PM
Hello John,
in ECC 6.0 the authorization object s_develop is checked with transaction SWO1. So you can limit the action of s_develop to 03 which is display. Try this out, but check that the users have the object s_develop nowhere else in any authorization role.
Regards
Christian
08-31-2011 2:35 PM
Hi Christian,
Thanks for your suggestions. I think that the problem is we don't have any custom roles that contain transaction SWO1 that my manager would agree to assign a developer to. The roles are all for BASIS people. So I can't use PFCG to make the changes you suggest because I don't have a role to start with. Or am I wrong in my thinking?
John
08-31-2011 2:55 PM
Hello John,
you could create a new role for the developers in your production system which only contains transaction SWO1 with object s_develop and the according restrictions. You can easily show your manager that this works by making a temporary testuser which was copied from a developer.
Regards
Christian
09-02-2011 12:33 AM
Hi,
I am not sure if this is a great idea. The problem is that you can test business objects in SWO1. So malicious user can find try to misuse it by executing object and manually entering key for that object. The methods of that business might not have a proper authorization check for all operations.
Cheers
09-02-2011 12:27 PM
Note that display s_develop is sufficient to execute the test environment of methods..