Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Context-Sensitive Security - What about SAP* in OOSB?

Go to solution
former_member1308046
Explorer

‎05-06-2014 8:11 PM

0 Kudos

We are implementing Context-Sensitive Security. Once we're ready to Go-Live, we'll empty the table T77UA (OOSB). Do we need to leave SAP* or we can completely delete the table?

Since the table is no longer read (we've activated the BAdi to do the virtual assignment), I would think it's ok to remove it but I have a small doubt.

Can someone confirm that SAP* is no longer required in OOSB when we activate context-sensitive security?

Thanks

Sophie

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎05-09-2014 8:41 AM

0 Kudos

Hi Sophie,

The OOSB entry for SAP* is the fallback profile for when no other structural profile is found. Even if you activated the BADI (assuming HRBAS00_GET_PROFL), it is still possible that it throws a no_profile_found and in that case the user will get the profile that SAP* has in table OOSB.

I wouldn't suggest deleting the entry. Replacing it with a basic profile like Julius suggested is probably the best idea, but this is only recommended when your BADI logic will return a profile for your background and system users.

Good luck!

Brent

4 REPLIES 4

Go to solution
ronen_weisz
Active Contributor

‎05-07-2014 10:10 PM

0 Kudos

I would make sure that your system/service users (ALEREMOTE/DDIC/WF-BATCH etc.) are working o.k .

Go to solution
Former Member

‎05-07-2014 10:19 PM

0 Kudos

I would recommend replacing it with something like SAP_DUMMY which can at least read and match code on 1001 and 0105... (the PLOG sort of things).

As Ronen mentioned, you should change this BEFORE you restrict some system type user's access as they don't have personnel numbers.

Which BADI are you referring to? If it is in a central API then you might be OK. If not or there is hardcoding outside of the reserved API then you could be in for surprises.

Cheers,

Julius

Go to solution
Former Member

‎05-09-2014 8:41 AM

0 Kudos

Hi Sophie,

The OOSB entry for SAP* is the fallback profile for when no other structural profile is found. Even if you activated the BADI (assuming HRBAS00_GET_PROFL), it is still possible that it throws a no_profile_found and in that case the user will get the profile that SAP* has in table OOSB.

I wouldn't suggest deleting the entry. Replacing it with a basic profile like Julius suggested is probably the best idea, but this is only recommended when your BADI logic will return a profile for your background and system users.

Good luck!

Brent

Go to solution
former_member1308046
Explorer
In response to Former Member

‎05-09-2014 4:20 PM

0 Kudos

Thanks all for your answers. We'll leave the entry SAP* in the table, to make sure we don't impact anything.