07-25-2007 6:29 PM
hi all,
i have som basic questions..during implementation of SAP ,the security guy will restrict the users not to access the role which are not defined for the users..here the users means functional guys n technical guys? n after production n go live he ll restrict the end users??
som1 pls expalin me clearly b4 the production support and aftr the production support---role of security guy..
thanks,
kevin
07-31-2007 11:55 AM
Hi Kevin,
During implementation, there's no end users, all functional and technical consultants get SAP_ALL and SAP_NEW in DEV and/or TEST systems, at that stage, there's no Production system alive.
When the security consultant gathered all the business requirements from stakeholders and built and tested the roles, business owners will tell him/her which user or position should have what role access, if that's what you meant by restrict the end users.
In production system, all end users will only have the roles suitable for their position/job, based on segregation of duties, SOX etc. SAP support team on the other hand will typically have display access to their respective functional areas, but no create or modify access.
Is this what you're after?
Cheers,
Kathryn
07-31-2007 3:14 PM
During an implementation; there are several types of "project" roles that we created. They were for 1) developers, 2) functional team members 3) configuration access 4) transport (approval and release the task only) and then basis and security (usually assigned SAP_ALL).
The security person is usually responsible for developing "project" roles and working with the functional leads to develop the end user production roles which are included in the testing phases.