Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Authorization review process document

Former Member

‎05-22-2007 11:28 AM

0 Kudos

Hi all,

Our management wants to review authorization of all users yearly once.They are asking for a process document which will state all the process and procedures to do the same.I have no clue how should I go about it.

Can anybody please help with a document or something so that I can start preparing a "process document for annual authorization review".

Thanks,

Suman

2 REPLIES 2

Former Member

‎05-22-2007 12:23 PM

0 Kudos

Hi Suman,

One thing you can do is you can create variants for the program RSUSR002 which is nothing but SUIM. For example create a variant 000_RFC_DEST for the program RSUSR002 and give the values for the variant as transacation SM59.The authoirzation SM59 must reside only with basis user and when you run the report RSUSR002 with the variant 000_RFC_DEST you will get the list of all the users having this authorization and also at the same time you can create an excel sheet based on the roles that can be given to ABAP team, functional team, SD team...When a new role is created you can update this excel sheet.

Regards,

Bharath

Former Member

‎05-22-2007 12:37 PM

0 Kudos

Hello Chittranjan,

This is something for which you would need advise from your functional team. While doing auditing is a system adminsitrator or auditor's job the actual conceptual design of audit needs to be discussed with functional people as well.

First of all it depends on your business processes as well as on the modules of SAP which are in main use in your project.

Not only you need to check if the authorizations are vertically organized as also laterally.

Vertically means that a clerk in a department you should have restricted access for only what he is doing and a manager should have greater access.

Laterally means if your organization has mutiple sub units which can be identified with plants,company codes etc. then you need to make sure users belonging to one sub unit should have access for other sub unit/department.

Then also you need to the processes with in the organization.

There has to be a check on who creates master data and transactional data and who does not. Also check on customising authorizations needs to be in place. Similarily development authorizations also need to be brought under the ambit of the document.

The customising and development part is simple as it has to be restrcited to functional guys and developers respectively but master data and transactional data part is integrated with business proceeses. Also this is generally handled by end users.

You need to take advise from process owners also.

Regards.

Ruchit.