03-05-2007 5:06 AM
Hi All,
We are planning a redesign of the Authorization Structure for our company.
Disadvantages with the current structure are:
1. too many roles per authorization template, making it difficult for maintenance and support
2. some users might need access to diff. company codes. this results in number of roles assigned reaching the maximum number permitted.
For these reasons, we need to redesign our authorization template.
Any suggestions/pointers/documents welcome.
Please send the documents to my id tkayshanaseem@yahoo.com
Thank you very much.
aysha
03-05-2007 6:55 AM
Hi,
In our organisation we went thru the same prob. Our auth stru was a highly custimized one. For this i assigned the functional keyusers with sap_all and sap_new profile. Then i asked them one by one to do all the acrtivities which they want the corresponding end users to carry out. While the did so i put them under authorization tracing via tcode st01. After the trace is over got a print out of the trace and designed the auth structure for the concerned user according to the same. If traced carefully this can be a highly secured and satisfying one.
Try this.
Dont forget to award a point .
Regards
03-05-2007 6:55 AM
Hi,
In our organisation we went thru the same prob. Our auth stru was a highly custimized one. For this i assigned the functional keyusers with sap_all and sap_new profile. Then i asked them one by one to do all the acrtivities which they want the corresponding end users to carry out. While the did so i put them under authorization tracing via tcode st01. After the trace is over got a print out of the trace and designed the auth structure for the concerned user according to the same. If traced carefully this can be a highly secured and satisfying one.
Try this.
Dont forget to award a point .
Regards
03-05-2007 8:02 AM
Remember that security is not a technical thing!!!
The best results one can get when Functional and Business experts sit together and describe the way the business should perform their tasks (this gives you the transaction list). In the aforementioned description they should also list the security risks in each task. That would give you the values for the Authorisation Objects.
And also remember that they should as best as possible list the forbidden transaction in each process as well!!
The latter is important to overcome diversions via transaction shopping after go-live.
Written down as above you are facing a complet new implementation, if management does not like that you can try to convince them by saying that the error is in teh original implementation as this should hev been doen than!
This process descrition should also be the basis for any training material written!