Hi Auke,

Can you be a bit more clear as to what additional access the functional consultants are requesting for and the need for it?

Nagarajan

There are times when update access is legitimately required in production. Those times are rare, in my experience, in a stable system. In such a scenario, internal SAP support staff and consultants should only have read-only access as a general rule, with update access being given on a case-by-case basis and for a limited time only. Even better, implement Superuser Privilege Management (aka Firefighter) from the GRC suite and use that for all update access for support staff. That gives good control, and more importantly, an audit trail.

When new functionality is being rolled out, things are different. It is reasonable for consultants to have update access for the first few days of a go-live, to be able to sort out issues quickly. Although if you have SPM implemented you can use that even here and still not have regular users with update access.

Steve.

I'm with Steve on this - display access for day to day work and some sort of SUPM type tool for emergencies and ad hoc requirements.

One of the advantages of this is that if the temporary Super User auths need to be approved by someone in the business, it gives them a good overview of just how many and what type of non-standard events are occurring in their system.

I had a recent client where the functional consultants had update auths in PRD from day one, and they were using them on a daily basis but the wider business had no idea just how frequently this happened because there was no SUPM / approval process involved. And of course, trying to restrict them to display authorizations was met with fierce resistance, because they knew that it would expose just how many things they were fixing "on the fly".

Lock 'em down nice and tight

Auke,

I agree with Will and Steve. Just wanted to inform you that if you don't have the GRC suite to implement Firefighter, it is also possible to create your own similar solution by the ABAP development team.

And maybe your functional consultants are aslo part of a helpdesk team and you work with a helpdesk solution that makes it possible to view the screens of other people? In that case the functional team members can have a look at the users that are in need of help to see what is going wrong.

For authorizations restrictions they will only need display authorizations in production for their module, and update authorizations that are corresponding to their function. In case of emergencies they can have temporary broader authorizations via the firefighter solution. The firefighter use is monitored and approved by management.