on 10-01-2014 8:38 AM
Hello Authorization Gurus,
I am working on an audit requirement to revoke certian critical permissions for a number of users.
The requirement states that a number of users (over 40) should have their permissions to view PSA Tables under certian conditions in the backend of a BW system revoked.
Now, these over 40 users come from different departments with different functions and between them have about 28 different roles assigned to them.
The critical authorisations/permissions which were audited were composed of the following conditions:
Composition of critical permissions:
S_TABU_DIS: Berechtigungsgruppe &NC&; Aktivität 03 UND
(S_TCODE: Transaktionscode SE17 ODER
S_TCODE: Transaktionscode SE16 ODER
(S_TCODE: Transaktionscode START_REPORT ODER
(S_TCODE: Transaktionscode SC38 UND
S_PROGRAM: Berechtigungsgr.ABAP/4-Programm *; Benutzeraktion ABAP/4 Programm SUBMIT) ODER
((S_TCODE: Transaktionscode SE15 ODER
S_TCODE: Transaktionscode SE80 ODER
S_TCODE: Transaktionscode SE84 ODER
S_TCODE: Transaktionscode SE85 ODER
S_TCODE: Transaktionscode SE90 ODER
S_TCODE: Transaktionscode SEU_INT) UND
S_DEVELOP: Aktivität 03) ODER
((S_TCODE: Transaktionscode SA38 ODER
S_TCODE: Transaktionscode SA38PARAMETER) UND
S_PROGRAM: Benutzeraktion ABAP/4 Programm SUBMIT) ODER
S_TCODE: Transaktionscode SUB% ODER
((S_TCODE: Transaktionscode SE38 ODER
S_TCODE: Transaktionscode SEU_INT_ENH) UND
S_DEVELOP: Objekttyp PROG; Aktivität 03)))
Contained critical values:
Objekt Feldname
S_TABU_DIS DICBERCLS ohne Berecht.gruppe (&NC&)
ACTVT Anzeigen (03)
S_TCODE TCD TCD (SE17)
S_TCODE TCD Tabellenanzeige / -pflege SE16 (SE16)
S_TCODE TCD Reports ausführen (START_REPORT)
S_TCODE TCD Systemübergreifende Programmausführung (SC38)
S_PROGRAM P_GROUP Alle (*)
P_ACTION Ausführen (SUBMIT)
S_TCODE TCD Dictionary-Infosystem (SE15)
S_TCODE TCD Repository-Infosystem (SE80)
S_TCODE TCD Repository-Infosystem (SE84)
S_TCODE TCD ABAP/4 Dictionary Infosystem (SE85)
S_TCODE TCD Prozeßmodell-Infosystem (SE90)
S_TCODE TCD Object Browser (SEU_INT)
S_DEVELOP ACTVT Anzeigen (03)
S_TCODE TCD Reporting (SA38)
S_TCODE TCD Einplanung PFCG_TIME_DEPENDENCY (SA38PARAMETER)
S_PROGRAM P_ACTION Ausführen (SUBMIT)
S_TCODE TCD Interner Aufruf: Submit über OK-Code (SUB%)
S_TCODE TCD ABAP-Editor (SE38)
S_TCODE TCD Object Browser (SEU_INT_ENH)
S_DEVELOP OBJTYPE ABAP-Programme (PROG)
ACTVT Anzeigen (03)
Now, my problem is this:
These permissions need to be withdrawn in compliance with Audit demands. However, I cannot just remove the role assignments because these roles give the users a multitude of other permissions which cannot be tampered with....Plus: They are not all simply within a single department or group or belong to one or similar profiles, but cut accross several different crosssections of the enterprise.
What is the best strategy to go about withdrawing the specified permissions listed above without tampering with the rest of the authorisations/permissions contained within the assigned roles ?
I would be very grateful for any assistance on this issue.
Best Regards,
Uche
Hello,
See if the user community belongs to report execution or normal navigation of report, removal of these above authorization will not create any issues.
And even in the case of a BI developer in production system these transactions are rarely used.
Now the best approach will be to create test ids with removing the above objects and trying it out with the user.
Regards
Gajesh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Uche,
We also face these kind of requirement when a new security note is applied which some times mandates certain authorization restrictions.
What we do is replicate the new role with the new restrictions in the quality system and create a new Test ids. We use to do our regular activities for a period of time using these test ids and once we find that there is no impact on our regular work we replicate the same thing in production to our regular ID.
Authorization can be some times be a show stopper. Therefore I recommend you to test it out in your quality environment for some of the users and then clone them to your production environment
Regards
Gajesh
User | Count |
---|---|
84 | |
10 | |
9 | |
8 | |
6 | |
6 | |
6 | |
5 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.