05-06-2015 12:56 PM
Hi,
There is a requirement, when new authorization object is created in SU21 then alert or mail will sent to security team every time? Is their any BADI or Exit available to write the code? or Is there any standard workflow task that we could cover this requirement?
Thanks and Regards
Sudarshan Gaikwad
06-10-2015 1:25 PM
Hi All,
Thanks for your reply and suggestion. Those suggestion really help me to reach to my solution.
I have resolved this by implicit enhancement at the time of saving the authorization object in SU21.
As I have found the PGMID = R3TR, OBJECT = SUSO and OBJ_NAME = ZTEST (Authorization object name).
| Implicit Enhancement | Purpose of Enhancement | Comments |
1 | LTMW_PROJECT_LOCKF01 | When transport request will save then in this Include we can trigger our code | Useful for our requirement |
We can do it programmatically in other ways also but in my case we required to implement it into Implicit enhancement point only.
Other options are also we can consider as below.
| BADI Name | Purpose of BADI | Comments |
1 | CTS_CURRENT_PROJECT | On the basis of Authorization object check (SUSO) we can proceed to our requirement | Useful for our requirement |
05-06-2015 7:52 PM
Hi,
That is an interesting and unusual requirement. I doubt that there is anything standard from SAP. You could try to find a suitable implicit enhancement point to trigger custom code. Another simple solution would be to schedule a job that would read change documents. This would not be real time but it may be sufficient. May I ask how often do you create a new authorization object?
Cheers
05-06-2015 9:50 PM
Often the creation of an auth object and checking it in a program bypasses the security folks who maintain SU24 and roles.
So such an alert can be useful as a ping to ask what the object is for and which tcodes / roles it belongs to.
I use a slightly similar approach to alert about testing the QAS system.
If they transport the program without the object, then it cannot pass an auth test and alerts.
If they transport the object as well, then alerts if they test and the check fails.
If they transport to production in the wrong sequence or do not test, then it fails in production.
Probably another good check point earlier in the process would be the TMS BADI -> if an authorization object is in a transport being released, then send an alert mail from the DEV system is sent. You will get a few false-positives if whole packages are transported, but at least you will get to hear about it, and upgrades, etc.
Not a bad idea!
Cheers,
Julius
05-07-2015 7:22 AM
Hi,
I understand why a notification about new authorization is a good idea. But it seems to me that technical solution is overkill for an event that happens not so often in my experience. Your idea of using BADI for transport release is a good solution That uses BADI delivered by SAP. Another would be to remove authorization in DEV to create object so they would have to request it.
Cheers
05-07-2015 11:02 AM
Not sure whether removing S_DEVELOP auths in DEV will last very long.
The TMS BADI has the advantage that they can develop in peace -> check happens when they decide they are ready to transport.
Cheers,
Julius
05-14-2015 10:48 AM
Hi Sudarshan,
Exclude Value "SUSO" from the "Object type"(OBJTYPE) in Authorization object S_DEVELOP of users.
This will prevent users from creating.
Create a separate role with this access and give to the users on case basis or Put in Fire fighter ID and assign to them if you have GRC system in place which will notify concern person 🙂
Regards,
Gangadhar
06-10-2015 1:25 PM
Hi All,
Thanks for your reply and suggestion. Those suggestion really help me to reach to my solution.
I have resolved this by implicit enhancement at the time of saving the authorization object in SU21.
As I have found the PGMID = R3TR, OBJECT = SUSO and OBJ_NAME = ZTEST (Authorization object name).
| Implicit Enhancement | Purpose of Enhancement | Comments |
1 | LTMW_PROJECT_LOCKF01 | When transport request will save then in this Include we can trigger our code | Useful for our requirement |
We can do it programmatically in other ways also but in my case we required to implement it into Implicit enhancement point only.
Other options are also we can consider as below.
| BADI Name | Purpose of BADI | Comments |
1 | CTS_CURRENT_PROJECT | On the basis of Authorization object check (SUSO) we can proceed to our requirement | Useful for our requirement |