Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Authorisation of Backend Users given on SAP Router connections

Former Member

‎04-25-2012 9:31 AM

0 Kudos

Hello all

We provide connectivity to SAP Corp. over our SAP Router to all our systems. This is used for resolving trouble tickets and for problem diagnosis.

When SAP Corp. employee connect to our systems, they are provided with a dialog user which is used only for this purpose. This user has SAP_ALL, which on a recent audit showed up as bad practice. This is understandable as we put on very high efforts to prevent usage of SAP_ALL for internal staff.

SAP Corp. employees claim they require only read access to our systems; they don't want to be responsible for interrupting our production systems. Nevertheless so far nobody was able to tell us what authorisations we should assign to these users.

The audit recommendation is something like this: "Take away SAP_ALL and assign a role with read-only access to non-sensitive data."

Our management is obviously afraid that if we remove too much, we will not get proper support from SAP Corp. anymore.

Does anyone have a suggestion how we could overcome this situation?

How have others resolved authorisation for SAP Corp. staff on their systems?

Thank you.

Regards

Thomas

2 REPLIES 2

Former Member

‎04-25-2012 9:46 AM

0 Kudos

Hi Thomas,

You can build a display role with all authorizations objects in SAP_ALL. Building this role has been discussed many times in the forum, you can search for the same.

Apart from it, you may choose to remove access to critical HR data (like SSN, ethnicity,...) if required and give the same only on needed basis to SAP support.

Regards,

Ajesh.

Bernhard_SAP
Employee
Employee

‎04-25-2012 11:17 AM

0 Kudos

Hello Thomas,

please consider SAP note 1154550!

Ask the SAP supporter, which authorizations he/she requires - they should know more or less, what they will need to execute. Asking for SAP_ALL is inapropriate in my opinion.....

So you need to suggest from case to case, which authorizations you grant.

Also using only one generic ('SAPSupport') user for all connections from SAP to your system can lead to problems - consider, if somebody performs a change to your system, how to find out after some time, which physical person that was....

A good idea is to use user-IDs like OSS<message number>, SAP<incident> or similar.

b.rgds, Bernhard