Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

values for S_ADMI_FCD

Former Member
0 Kudos

Hello,

I have the following immediate problem. Auditors are interested to know who has authorization object S_ADMI_FCD. I see that our users have this object via transaction code SP01. All values are selected. What values I should un-select to make sure that our users won't lose their SP01 functionality and at the same time do not compromise security.

Thanks

Galina

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Hi Galina,

Without knowing your implementation and the different roles you have, it's very hard to give a definitive answer for this. It is possible that the "all values" is providing auths for transactions other than SP01 which would normally be picked up if you had tighter restriction over this object.

There is a fair bit of info in this link, I suggest that you go through this and identify suitable values for your actual spool uses - common ones are SP01, SP0R, SPAD depending on the status of the user. If users only need to perform functions on their own spools then SP02 allows them to do this without seeing any other spools. Bearing in mind the sensitive data that can be accessed via spools, it's good that you are tying it down. Some superusers or administrators may need to run SP01 with one or more of the above values for S_ADMI_FCD, again this is very dependent on the particular situation.

http://help.sap.com/saphelp_40b/helpdata/en/17/174b6e5733d1118b3f0060b03ca329/content.htm

p.s. I strongly recommend testing any changes that you make before sending it through to prod. With these types of auths, it's very easy to cause a load of problems due to inheritance of the values by other transactions.

Message was edited by:

Alex Ayers

4 REPLIES 4

Former Member
0 Kudos

Hi Galina,

Without knowing your implementation and the different roles you have, it's very hard to give a definitive answer for this. It is possible that the "all values" is providing auths for transactions other than SP01 which would normally be picked up if you had tighter restriction over this object.

There is a fair bit of info in this link, I suggest that you go through this and identify suitable values for your actual spool uses - common ones are SP01, SP0R, SPAD depending on the status of the user. If users only need to perform functions on their own spools then SP02 allows them to do this without seeing any other spools. Bearing in mind the sensitive data that can be accessed via spools, it's good that you are tying it down. Some superusers or administrators may need to run SP01 with one or more of the above values for S_ADMI_FCD, again this is very dependent on the particular situation.

http://help.sap.com/saphelp_40b/helpdata/en/17/174b6e5733d1118b3f0060b03ca329/content.htm

p.s. I strongly recommend testing any changes that you make before sending it through to prod. With these types of auths, it's very easy to cause a load of problems due to inheritance of the values by other transactions.

Message was edited by:

Alex Ayers

0 Kudos

Hi, Alex

Thanks for pointing me to the right direction. But I am still looking for a list of values for this object that would be necessary for a BASIS person, b) ABAP person, c) FI/CO admin person. And I am still not sure if lack of default values in this object (I know it is fixed with the latest packages) suggest that if I have SP01 in every user's profile I can safely remove this object fro mthe authorizations list. Still a puzzle.... Any suggestions?

0 Kudos

Hi Galina,

Take a look in SAP note 587410 at how you can find users / roles which do, or do not, have a certain authorization. It deals with S_DEVELOP, but the principle will work the same for S_ADMI_FCD.

Kind regards,

Julius

0 Kudos

Hi Galina,

The difficulty with this is that your roles and the responsibilities of your users are likely to be very different than mine. Your FICO admin could do different stuff to mine and therefore what I have may well be irrelevant. There is no absolute list as there are no absolute roles defined.

The Basis stuff isn't too hard. You can look in the role they have and map the general activities that role performs against the functions available with S_ADMI_FCD. It is likely that if the role performs that function then it will require that value. Be careful though as there are some pretty powerful things controlled by that object.

Your FICO admin team probably will need to some spool management, in which case SP01 and SP0R will be needed.

ABAPers in Prod should have very limited access to start with, they may need to run traces with ST0M ST0R and SM21 values.

Personally I wouldn't mess about with this stuff for prod access without testing it with the relevant teams and users. Your end users are probably less at risk as this is generally not an end user object, but again it depends on what you have got them doing!

Hope that helps a bit - it's a difficult one to retrospectively fix, as are many of the S_* objects that have been wildcarded.