07-03-2008 9:36 AM
can u tell how we can give full authorizations and specific authorizations ton users in production client for specific projects
07-03-2008 4:14 PM
Your question seems a bit "generalistic"; I suggest you check with your own security team for more info. Maybe I misunderstood the part about "projects"; feel free to clarify...
07-03-2008 10:17 AM
Hi
For giving full authorization give SAP_ALL profile.But in production client it is not recommended.
For restricting create role in pfcg and assign them
hope this helps
Edited by: Trupti on Jul 3, 2008 11:17 AM
07-03-2008 4:14 PM
Your question seems a bit "generalistic"; I suggest you check with your own security team for more info. Maybe I misunderstood the part about "projects"; feel free to clarify...
07-04-2008 8:19 AM
Hi,
I think the first step to think about is, if it is really necessary to perform that 'project' (whatever it is) really in PRD....
If you know already, which transactions the project memebers need to have access to, you have to check and countercheck each of that transactions, if
a) critical data can be reviewed
b) any data can be changed
If you have verified, that no such critical actions can be performed, you could then create the appropriate roles in PFCG for the project members (but never give 'full access' what you have mentioned !!!).
Please verify, if that members have already an existing account on your PRD, and if so, if they have already some authorizations there. It is dangerous to simply add your new project roles to existing users, as the assigned authorizations might cumulate and give unwanted access....
As soon the project members gest any developement authorizations, you have lost the game anyway, as they can then help themselves to get the access they want (you know, debug/replace is sufficient to crack any auth.-check). Please also review the threads in this forum about SE16, S_DEVELOP,S_PROGRAM,.....
At last point I can recommend to switch on the security audit log before the project members access your system.
b.rgds, Bernhard