02-27-2012 8:48 AM
Hi ,
Iam trying to restrict unix file system access in SAP roles.
Q1. Is it fine if the access is restricted by S_DATASET only or access should also be restricted in S_PATH object.
Q2. if i start restricting using S_DATASET object with appropriate path names in roles. Most of the roles are parent -derived roles (inheritance relationship), and different value should be maintained in parent role and child role.
how this can be achieved ? Can FILENAME field in S_DATASET be made as organisational level ?
Please let me know if there is any best approach for the above scenario.
Thanks,
Sanketh.
02-27-2012 1:41 PM
Hi Sanketh,
A1: Yes, S_DATASET will control SAP users access to the paths at OS level. It works OK like that.
A2: No, it is not possible to create a hierarchy in the authorizations for S_DATASET. As you know, authorization objects in SAP are additive, so the final and real authorization is the less restrictive of all them existing in different roles assigned to a user.
Hope this helps
Best Regards
Francisco
02-28-2012 1:33 PM
Hi,
please check note 177702 for the relation of s_dataset to s_path.
You may change FILENAME to an orglevel field, if you really think, that so many users will need different values assigned through derived roles.
b.rgds, Bernhard