Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Any ideas on restricting userID Role Assigment within the SAP Security Team

Former Member

‎09-12-2011 11:53 PM

0 Kudos

Hello,

I have gotten a request to look into restriction of assignment of roles to oneself within the company SAP Security Team. Thoughts I have come up with so far involve the use of UserID User Groups, Role Assignment Ranges, and forcing all role assignements for all userIDs through GRC-AC CUP for QA and Prod. Has anyone come up with a workable solution that is outside of these suggestions that they have put into practice?

Thanks in advance for your help!

John

2 REPLIES 2

martin_voros
Active Contributor

‎09-13-2011 8:29 AM

0 Kudos

Hi,

another way is to use identity management solution. Any IdM is pretty flexible. SAP has it's own solution called SAP Netweaver Identity Solution. There is a section dedicated to IdM here on SDN.

Cheers

Former Member

‎09-14-2011 11:34 AM

0 Kudos

Hi John,

There can be a manual control in place and individual should not assign role/s to himself / herself.

Otherwise, security team members can be assigned to a specific group (let say Security) and they shouldn't have access to authorization S_USER_GRP with ACTVT 22 & CLASS - Security.There should be a dedicated power user to assign the role/s to the security team members and this can be auditted (SM20 log for manual super user / FireFighter log for FireFighter user).

Thanks

Prasanna