01-08-2008 1:41 PM
Dear SDN Community,
I was asked to not to give SAP_ALL but give them minimum required authorizations to execute the following transaction codes.
SE37
VA01
FB01
KB11N
Can you please advice me how I can do this. I am new to secuirty.
Thanks!
Surya.
01-08-2008 1:45 PM
Hi Surya,
Create a new role using PFCG and assign those transactions then just check the authorization objects and assign the users.
Regards
Juan
01-08-2008 2:04 PM
would suggest as minimum buy the book Authorisations Made Easy from AMAZON.com and read that first.
Secondly would advise to contact your local SAP eduction Centre and follow courses ADM940/950/960 ASAP, as security is far to dangerous to play with when not knowing how to.
01-08-2008 2:31 PM
>
> would suggest as minimum buy the book Authorisations Made Easy from AMAZON.com and read that first.
Ha! You beat me to it. I was still thinking about a cheeky remark on Juan summarizing the 3-day course ADM940 into one sentence
01-08-2008 3:49 PM
01-08-2008 4:58 PM
Dear Surya,
The remarks that you may hear from the experinced folks must not ( read NEVER) down your desire to work harder. I have head enough and have lived up to these suggestioons !!
Please read these as beating on your knuckles from your teacher!! to allow our commuinty of practioners grow !!
I am expecting more and more during this year...one way to reduce it is ......obey your teaher !!
Thx
01-10-2008 2:19 PM
>
> Dear Surya,
>
> The remarks that you may hear from the experinced folks must not ( read NEVER) down your desire to work harder. I have head enough and have lived up to these suggestioons !!
What is your problem when the advise to read a good book or follow a SAP course is given??
We all had to learn it that way.
> Please read these as beating on your knuckles from your teacher!! to allow our commuinty of practioners grow !!
What do you mean by this remark???
>
> I am expecting more and more during this year...one way to reduce it is ......obey your teaher !!
Of what do you expect more this year???
What should be reduced?
01-08-2008 9:42 PM
>
> SE37
> VA01
> FB01
> KB11N
Regardless of how to build a role, I cannot help wondering which function (role) such a person would have in a company's business processes.
Is the person:
- a developer? SE37 - Building function modules
- a customer? VA01: Creating sales orders
- a balance sheet accountant? FB01: Posting manual journal entries
- a business controller? KB11N: Manual adjustments to cost accounting
I suppose it is not your job to question a business requirement, but you can point the risks out to them. For example, with seemingly harmless authorization to use SE37 (see documentation on S_DEVELOP) the user can easily bypass your other security, so they might still (effectively) have "SAP_ALL".
On second thoughts... this is a role for a developer in a devlopment system? (in which case it has no place in production..)??
Kind regards,
Julius
01-09-2008 12:34 AM
01-09-2008 2:24 PM
Julius,
Thanks for your concern. The odd ball out here is SE37. We are aware of this. This profile is not for the production but for the development and QAS. There are few function modules which gets executed using sy-uname. As part of the testing I may have to debug our Java Webdynpro application by setting an external break point in R/3 function modules and debug. That time, I need to login to R/3 using the end user userid and that userid needs a se37 access. Hope I made my-self clear here. I am not going to move this role to Production. Please let me know if you have any questions about my approach here.
Thanks!
Surya.
01-09-2008 8:56 PM
Hello Surya,
Thanks for confirming that this is a role for development system purposes.
Yes, I think your approach is on the right track, but have some small comments:
By "end user" I assume you are describing a "dialog user" for debugging purposes.
I also assume that this application will oneday be running as a service in a production system.
Will your customers have access to the backend system?
In my opinion, VA01 is the odd ball out here, and you should be debugging the session of the service (user) (only) with VA01 authority to find the bugs.
Kind regards,
Julius
01-10-2008 2:01 AM
>>By "end user" I assume you are describing a "dialog user" for debugging purposes.
End user means the real end user which is a franchise id
>>I also assume that this application will oneday be running as a service in a production system.
You are right
>>Will your customers have access to the backend system?
No.The only way they can access the R/3 functionality is by using the WebDynpro for java application.
>>VA01 is the odd ball out here,
We are implementing FI processes and order procurement process. Franchises are going to place orders to the central unit and they are going post the Goods Reciepts.
P.S : I am the WebDynpro/Adobe developer but I was asked to take this security role as we don't have a security specialist here.
Thanks!
Surya.
01-10-2008 11:20 AM
Dear Surya
As i understand from the expert discussion, they have objection not to give authority on the SE37.
Regards
Anwer Waseem
01-10-2008 4:22 PM