Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

sap security isuee

Former Member

‎10-25-2013 12:16 PM

0 Kudos

Dear SAP,

i have one doubt in sap security i need to give full FICO  module tcode authrisation to one userid only fico module tcodes full authrisation

remaining module tcodes will not to work is it possible in sap please help me is it possible are not

regards

suresh

5 REPLIES 5

Former Member

‎10-25-2013 12:46 PM

0 Kudos

If you have a list of transaction codes you want to give to this user then obviously you can just build a role that includes them all and assign that role to the one user. Whether the transactions come from one module or many doesn't really matter.

Or am I misunderstanding?

Steve.

koehntopp
Product and Topic Expert
Product and Topic Expert

‎10-25-2013 1:40 PM

0 Kudos

Hi Suresh,

I think I know that requirement - it's basically a FICO Superuser - but I don't think that's a good idea at all:

  • Financial systems of record have to comply with regulatory requirements, which are there to make sure your company's financial statement reflects accurate business transactions and cannot be tampered with. Creating a superuser violates that requirement and will get you and your company in trouble.

    A FICO Superuser like that has full access to all financial access, including fraud, theft and forgery. Not a good idea.

  • I would also challenge the assumption that "other module TCodes will not work" - creating that role will require you to add so many authorization objects to make it work that it will definitely spill over into other modules (BC, MM, SD...)

An option to do that is a tool like SAP GRC Superuser Privilege Management which will allow you you track access to that user and log activities so that you can at least have someone watch these Activities (dual control principle).

I will also be frank and read into your question that you're not an authorization expert - please do yourself a favour and get someone knowledgeable to help you to prevent damage to the company.

I would recommend you challenge the requirement, point out the (obvious) dangers and ask for suggestions and approval on how to deal with them on a governance level.

Kind regards,

Frank.

Former Member

‎10-25-2013 3:04 PM

0 Kudos

I agree with the  statement from Frank.

It is possible but you really don't want this in your system. It is a security issue if one person will get all the authorizations. Your auditor can confirm this.

A good solution might be giving the user display authorizations for FICO, combined with a solution like the Superusers Privilege Managenent to monitor the (temporary) wide authorizations for the user.

Even if you don't have GRC you can build this solution in the system with the help of the developers.

Good luck!

Meta

Former Member

‎07-07-2014 2:49 PM

0 Kudos

Hi,

   From the security Perspective it is advisable to give full access of one module to any user ID.

we need to create new roles according to the business requirement and add those roles to particular user ID.

Regards

Venkat

Former Member

‎10-21-2015 1:08 PM

0 Kudos

Hello

First discuss with the Process Owners of FICO & get the tcodes for each Job description/Process & once this file is ready start with the development of roles.

Also be carefull of critical tcodes & you can discuss with Process Owners well in advance.

Thanks