on 02-08-2008 6:49 AM
Hello Gurus,
I have got a list of t-codes from my functional consultants
.
E.g.
1) Authorization for top management
Whole menu in HR, FICO and MM
2) Authorization for document creation/ Parking
fin acctg->GL->Periodic Processing->Closing->Valuate
FBS1 - Enter Accrual/Deferral Document
F.81 - Reverse Accrual/Deferral Document
fin acctg->A/P->Document Entry->Down Payment
fin acctg->A/P->Document Entry->Outgoing Payment
fin acctg->A/P->Document->More Functions
FBZ5 - Print Payment Forms
fin acctg->A/P->Periodic Processing
F110 - Payments
fin acctg->A/P->WithHolding Tax->India
fin acctg->Banks->Incomings->Bank Statement
FF67 - Manual Entry
FF_5 - Import
FEBP - Post
FF_6 - Display
FEBA_BANK_STATEMENT - Reprocess
fin acctg->Banks->Outgoings->Automatic Payment
fin acctg->Banks->Information System
Here, " fin acctg->A/P->Document Entry->Down Payment " means, whole menu under " fin acctg->A/P->Document Entry->Down Payment " and
fin acctg->Banks->Incomings->Bank Statement
FF67 - Manual Entry
FF_5 - Import
FEBP - Post
FF_6 - Display
FEBA_BANK_STATEMENT - Reprocess
Means authorization for only this T-code under the menu " fin acctg->Banks->Incomings->Bank Statement "
I have created Role using the user authorization matrix I have received using "PFCG" T-code. Now, the problem I am facing is giving additional authorization to some critical objects. How to avoid this situation?
How to make sure that users have got only the authorizations as per the authorization matrix? I never get the accuracy, either I give authorization to some additinol object or do not assign some crucial objects.
When i create Role based on the list, using PFCG, i get some object in yellow, i either have to deactivate it or assign it to the role. I generally assign it to the role.
It will be great if i get some good notes/ guidance on this from you.
Thanks and Regards,
Rahul
Hi jet/ Ruchit,
Thanks for your valuable suggestion.
Ruchit, I am doing excatly the same way you suggested. I won't mind in giving lesser authorizations, but would prefer to avoid giving authorization to objects that are ment for Administrator.
I think i can easy find out authorization to curucial objects(admin objects) using SUIM. It will be great if i get the list of authorizations that a basis adminstrator, preferably should not give to end users.
Thanks and Regards,
Rahul
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Anup,
Basically you need to be careful for all the transactions that start with:
SU,PF,RZ,DB and SM*. Of course what this doesnot mean is that you can't give access to any transaction that falls in this category. You can in certain cases but there also you need to define the scope of authorizations i.e display/change/create etc.
Also look for SE* transactions. They are releated to development activities.
Regards.
Ruchit.
there is no way u as a security consultant be sure of giving only the exact required autho. you can do that only if ur functional consultant tells u exactly what t-codes and what objects he needs.
when creating a menu based role, there are obviously extra autho given and some blocked, so u have to maually insert the missing objects or edit them when required. thats the only solution.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Rahul,
First this all these transactions are standard SAP ones so that is saving grace for you. For all these transactions authorization objects ansd default values would be already maintained in SU24. Now when you add these transactions to role menu the correpsonding authorization objects and values will get automatically copied into the role. Ideally you should not change these default values in the first go. Removing what you perceive to be critical authorization objects might render the entire transaction execution useless.
So I would suggest create the roles, assign it to some dummy user and get it tested. Then wait for feedback and make corrections.
Regards.
Ruchit.
User | Count |
---|---|
93 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.