cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Audit Requirement: Revoking critical user authorizations/permissions within roles that need to remain assigned

Go to solution
Former Member

on ‎10-01-2014 8:38 AM

0 Kudos

Hello Authorization Gurus,

I am working on an audit requirement to revoke certian critical permissions for a number of users.

The requirement states that a number of users (over 40) should have their permissions to view PSA Tables under certian conditions in the backend of a BW system revoked.

Now, these over 40 users come from different departments with different functions and between them have about 28 different roles assigned to them.

The critical authorisations/permissions which were audited were composed of the following conditions:



Composition of critical permissions:


S_TABU_DIS: Berechtigungsgruppe &NC&; Aktivität 03                                                                                          UND 


(S_TCODE: Transaktionscode SE17                                                                                                                           ODER 


S_TCODE: Transaktionscode SE16                                                                                                                            ODER 


(S_TCODE: Transaktionscode START_REPORT                                                                                                     ODER 


(S_TCODE: Transaktionscode SC38                                                                                                                          UND 


S_PROGRAM: Berechtigungsgr.ABAP/4-Programm *; Benutzeraktion ABAP/4 Programm SUBMIT)             ODER 


((S_TCODE: Transaktionscode SE15                                                                                                                         ODER 


S_TCODE: Transaktionscode SE80                                                                                                                            ODER 


S_TCODE: Transaktionscode SE84                                                                                                                            ODER 


S_TCODE: Transaktionscode SE85                                                                                                                            ODER 


S_TCODE: Transaktionscode SE90                                                                                                                            ODER 


S_TCODE: Transaktionscode SEU_INT)                                                                                                                    UND 


S_DEVELOP: Aktivität 03)                                                                                                                                               ODER 


((S_TCODE: Transaktionscode SA38                                                                                                                          ODER 


S_TCODE: Transaktionscode SA38PARAMETER)                                                                                                   UND 


S_PROGRAM: Benutzeraktion ABAP/4 Programm SUBMIT)                                                                                   ODER 


S_TCODE: Transaktionscode SUB%                                                                                                                          ODER 


((S_TCODE: Transaktionscode SE38                                                                                                                         ODER 


S_TCODE: Transaktionscode SEU_INT_ENH)                                                                                                         UND 


S_DEVELOP: Objekttyp PROG; Aktivität 03)))


  


Contained critical values:


Objekt                                Feldname                                                                                                                


S_TABU_DIS                    DICBERCLS               ohne Berecht.gruppe (&NC&)


                                            ACTVT                          Anzeigen (03)


S_TCODE                         TCD                              TCD (SE17)


S_TCODE                         TCD                              Tabellenanzeige / -pflege SE16 (SE16)


S_TCODE                         TCD                              Reports ausführen (START_REPORT)


S_TCODE                         TCD                              Systemübergreifende Programmausführung (SC38)


S_PROGRAM                   P_GROUP                  Alle (*)


                                            P_ACTION                  Ausführen (SUBMIT)


S_TCODE                         TCD                              Dictionary-Infosystem (SE15)


S_TCODE                         TCD                              Repository-Infosystem (SE80)


S_TCODE                         TCD                              Repository-Infosystem (SE84)


S_TCODE                         TCD                              ABAP/4 Dictionary Infosystem (SE85)


S_TCODE                         TCD                              Prozeßmodell-Infosystem (SE90)


S_TCODE                         TCD                              Object Browser (SEU_INT)


S_DEVELOP                    ACTVT                          Anzeigen (03)


S_TCODE                         TCD                              Reporting (SA38)


S_TCODE                         TCD                              Einplanung PFCG_TIME_DEPENDENCY (SA38PARAMETER)


S_PROGRAM                   P_ACTION                  Ausführen (SUBMIT)


S_TCODE                         TCD                              Interner Aufruf: Submit über OK-Code (SUB%)


S_TCODE                         TCD                              ABAP-Editor (SE38)


S_TCODE                         TCD                              Object Browser (SEU_INT_ENH)


S_DEVELOP                    OBJTYPE                    ABAP-Programme (PROG)


                                            ACTVT                          Anzeigen (03)

Now, my problem is this:

These permissions need to be withdrawn in compliance with Audit demands. However, I cannot just remove the role assignments because these roles give the users a multitude of other permissions which cannot be tampered with....Plus: They are not all simply within a single department or group or belong to one or similar profiles, but cut accross several different crosssections of the enterprise.

What is the best strategy to go about withdrawing the specified permissions listed above without tampering with the rest of the authorisations/permissions contained within the assigned roles ?

I would be very grateful for any assistance on this issue.

Best Regards,

Uche

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member186399
Active Contributor
‎10-01-2014 8:53 AM
0 Kudos

Hello,

See if the user community belongs to report execution or normal navigation of report, removal of  these above authorization will not create any issues.

And even in the case of a BI developer in production system these transactions are rarely used.

Now the best approach will be to create test ids with removing the above objects and trying it out with the user.

Regards

Gajesh

Show replies
Show replies
Former Member
‎10-01-2014 1:19 PM
0 Kudos

Hi Gajesh,

thanks for the response.

Would you recommend cloning the roles in question, adjusting the specific parameter value and then reassigning the cloned roles ?

I think this way the most disruption would be caused, right ?

Best Regards,

Uche


former_member186399
Active Contributor
‎10-02-2014 5:54 AM
0 Kudos

Dear Uche,

We also face these kind of requirement when a new security note is applied which some times mandates certain authorization restrictions.

What we do is replicate the new role with the new restrictions in the quality system and create a new Test ids. We use to do our regular activities for  a period of time  using these test ids and once we find that there is no impact on our regular work we replicate the same thing in production to our regular ID.

Authorization can be some times be a show stopper. Therefore I recommend you to test it out in your quality environment for some of the users and then clone them to your production environment

Regards

Gajesh


Former Member
‎10-02-2014 8:45 AM
0 Kudos

Thank you very much for ur input Gajesh !

Will implement and post feedback here.

Best Regards,

Uche

Answers (0)

Ask a Question