Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Authorization structure - redesign

Go to solution
Former Member

‎03-05-2007 5:06 AM

0 Kudos

Hi All,

We are planning a redesign of the Authorization Structure for our company.

Disadvantages with the current structure are:

1. too many roles per authorization template, making it difficult for maintenance and support

2. some users might need access to diff. company codes. this results in number of roles assigned reaching the maximum number permitted.

For these reasons, we need to redesign our authorization template.

Any suggestions/pointers/documents welcome.

Please send the documents to my id tkayshanaseem@yahoo.com

Thank you very much.

aysha

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎03-05-2007 6:55 AM

0 Kudos

Hi,

In our organisation we went thru the same prob. Our auth stru was a highly custimized one. For this i assigned the functional keyusers with sap_all and sap_new profile. Then i asked them one by one to do all the acrtivities which they want the corresponding end users to carry out. While the did so i put them under authorization tracing via tcode st01. After the trace is over got a print out of the trace and designed the auth structure for the concerned user according to the same. If traced carefully this can be a highly secured and satisfying one.

Try this.

Dont forget to award a point .

Regards

2 REPLIES 2

Go to solution
Former Member

‎03-05-2007 6:55 AM

0 Kudos

Hi,

In our organisation we went thru the same prob. Our auth stru was a highly custimized one. For this i assigned the functional keyusers with sap_all and sap_new profile. Then i asked them one by one to do all the acrtivities which they want the corresponding end users to carry out. While the did so i put them under authorization tracing via tcode st01. After the trace is over got a print out of the trace and designed the auth structure for the concerned user according to the same. If traced carefully this can be a highly secured and satisfying one.

Try this.

Dont forget to award a point .

Regards

Go to solution
Former Member
In response to Former Member

‎03-05-2007 8:02 AM

0 Kudos

Remember that security is not a technical thing!!!

The best results one can get when Functional and Business experts sit together and describe the way the business should perform their tasks (this gives you the transaction list). In the aforementioned description they should also list the security risks in each task. That would give you the values for the Authorisation Objects.

And also remember that they should as best as possible list the forbidden transaction in each process as well!!

The latter is important to overcome diversions via transaction shopping after go-live.

Written down as above you are facing a complet new implementation, if management does not like that you can try to convince them by saying that the error is in teh original implementation as this should hev been doen than!

This process descrition should also be the basis for any training material written!