04-21-2008 1:24 AM
I'm following the three-tiered approach for creating roles - general access, general functional access and specific job access. Right now, I'm creating just the general access role .
What are the transactions that should be common to all employees? So far I have:
SBWP - SAP Business Workplace
SEARCH_SAP_MENU - Find in SAP Menu
SEARCH_USER_MENU - Find in User Menu
SMX - Display Own Jobs
SO04 - SAPoffice: Shared Folders
SP02 - Display Spool Requests
SSC0 - SAP Appointment Calendar (Employee)
SSC1 - SAP (own) Appointment Calendar
SU2 - Maintain Own User Parameters
SU3 - Maintain Users Own Data
SU53 - Evaluate Authorization Check
Are there anymore transactions that should be added into the general access role?
Thanks in advance!
Edited by: Litz Tee on Apr 21, 2008 2:59 AM
04-21-2008 7:31 AM
That list looks good, I would add SU56 in there out of preference & some will recommend SU01D (Though I am not a fan of having it in there)
04-21-2008 7:40 AM
hi,
based on SAP standard role SAP_BC_ENDUSER that normally assigned to enduser, you should add
SM36 (define jobs)
SM37 (display jobs)
SU56 (authorization in user buffer for logged-on user)
SESSION_MANAGER (start menu)
SU3 (maintain own profile)
rgds,
alfonsus guritno
04-21-2008 1:22 PM
I would not recommend adding tcodes SM36 and SM37 to the "common role". Depending upon what values you have for the associated auth objects, SM37 will have the ability to change and delete jobs. Also SM36 for creating jobs would also be an issue. External auditors would have significant issues with all end users having this kind of access.
04-21-2008 1:48 PM
I agree with JC - we can give reasonable control over SM36 & SM37, but their place is not in a basic user role in my opinion.
04-22-2008 3:43 PM
Depending on your implementation you also might want to reconsider SU2 - especially if you are using function authorisations in MM.
Or if you would be making use of PID's for HR purposes e.g. variants for reports, CATS etc.
04-22-2008 6:49 PM
SM37 is not recommended.
All the same you may want to include a Print Role
From a user maintence standpoint --> include SU56 too.
SU3 Is already present for every user as its created just go to SYSTEM>Utilites--> Own Data
Thx
Edited by: george G on Apr 22, 2008 7:49 PM
Edited by: george G on Apr 22, 2008 10:08 PM