Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

PFCG Authorization Updates

former_member530892
Discoverer

‎04-13-2014 7:08 PM

0 Kudos

Hi,

To reorganize the work inside our SAP team, we are in discussion for who should be responsible for functions (MM,FI,CO,HR,Sales) PFCG authorization modifications.

Please; advise the best practice from SAP, who can better handle functions (MM,FI,CO,HR,Sales) PFCG authorization modifications, the BASIS

team or the function consultants?

Best Regards

Fawzy Ibrahim

4 REPLIES 4

Colleen
Advisor
Advisor

‎04-13-2014 10:56 PM

0 Kudos

Hi Fawzy



the BASIS


team or the function consultants?

I'd say the security team

Whoever you choose, ensure they are actually trained and knowledgeable of PFCG/SU24/general security. Splitting role maintenance across several teams can create inconsistent role build.

Basis might know how to click and tick boxes (or at least a step ahead of 'just assign sap_all') but they need to understand what the authorisations are for and how to appropriately restrict for functional requirements. Both may know how to build but do they understand how to interpret a misleading authorisation failure check in a trace?

Best practise is to choose someone who is competent

Regards

Colleen

Former Member

‎04-14-2014 9:16 AM

0 Kudos

Accountable are the MM, FI, CO, HR, SALES etc. business process owners. They should initiate all role changes

Responsible for the actual changes in the system normally is the security team.

Former Member

‎04-16-2014 9:31 AM

0 Kudos

Hi Fawzy Ibrahim  ,


Is it means that, in each module there will be different BASIS people? Like the responsible to MM users cannot change SD users authentication? If yes then, there is a good solution.


You need to group the users module wise. Then assign the BASIS peoples to maintain those particular group only(Using authorization object S_USER_GRP). Please have a try. If you face problem let me know


Asad

michael_ruth3
Contributor
In response to Former Member

‎04-16-2014 9:06 PM

0 Kudos

Fawzy,

If the company you work for/contract for has to adhere to SOX compliancy, then you definitely do not want the Basis folks doing security. This is for the security team to define the authorizations, modifications, roles, etc, related to SAP Security.