Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Need to assign all FI full authorizations

Former Member

‎07-08-2008 6:46 AM

0 Kudos

Hi Experts,

I have to assign/Provide the FI full authorizations to my FI consultant for this please let me know how can i assign all FI related T-codes authorizations at one shot.

Regards,

Reddy V

7 REPLIES 7

jurjen_heeck
Active Contributor

‎07-08-2008 7:19 AM

0 Kudos

> I have to assign/Provide the FI full authorizations to my FI consultant for this please let me know how can i assign all FI related T-codes authorizations at one shot.

My suggestion (the one you probabely do not want) is to ask these consultants which transactions they need. The 'one shot' question is the simplest to ask and the most difficult to answer.

For some odd reason ( see thread about taking [SPRO from SAP_ALL|; ) functional consultants mostly refuse to accurately describe their needs but get annoyed if the psychic abilities of the security admin fail to resolve their problem......

Bernhard_SAP
Employee
Employee

‎07-08-2008 8:29 AM

0 Kudos

Hello REddy,

another possibility is to select the complete FI-branch of the SAP menu in pfcg and insert that branch into the role menue. The authorizations for the contained transactions will be added then automatically at the authroizations tab. Grant full access for all the contained objects (but you should check them first) and assign the role to the necessary users.

b.rgds, bernhard

Former Member
In response to Bernhard_SAP

‎07-08-2008 9:36 AM

0 Kudos

Thank You- Bernhard,

I have done the same that is PFCG -->Menu --> From SAP menu --> AND selected the Financial Accounting, Financial Supply Chain Management branches > Transfer>And generated the profiles.

But i am facing some problems like some of the t-codes FBMP, FBKP,FBZP, spro, sm30, se09 etc,etc......

Please let me know is there any other way to assign common accesses including FI All authorizations.

Regards,

Reddy V

Former Member
In response to Bernhard_SAP

‎07-08-2008 9:50 AM

0 Kudos

I frankly don't believe there are foolprof ways of creating area-specific roles from scratch, perhaps except if you base your role on one or several of the existing SAP_FI* or SAP_AUDITOR* role templates (but as far as I know these are fairly limited and I've never heard of anyone actually using them). The problem is that most functional consultants (or auditors, or whatever target population you have) will require, or expect to have, access to other areas and functionalities more or less related to their functional area...

In which case it's your responsibility, as a security analyst, to figure out whether their request is "sound" from a security perspective (ie. S_TABU_DIS, activity 02: no) and, if so, enhance their role. Or, assign secondary roles containing the necessary non-FI-specific objects (such as SE11/SE16, SA38 for report execution, SU01D for displaying user data and so on...

The point is, building such access from scratch is not straight-forward and simple. The importance of security is often overlooked, especially in smaller implementations, and thus you get requests like this, for "all FI access" without the requesters having the vaguest idea of the time/effort involved (or any comprehension whenever they get stuck because the role didn't work for whatever exotic needs or whims they come up with in the course of their exploits). Of course, in the end, the security guy takes the blame.

Such is our fate. Amen.

Bernhard_SAP
Employee
Employee
In response to Bernhard_SAP

‎07-08-2008 10:44 AM

0 Kudos

well it is always the first question, what is 'full authorization for FI'....

Who needs such a 'full FI-authorization'....

Even testers will not need all FI-T_codes.

And some of the above mentioned tcodes do not belong to FI (SM30, SPRO,...)...

So we could discuss this quesiton on political level too. And I think we never can reach a result. So my understanding is, that it is NOT possible to create easily such a generic authorization (especially there will be several opinions what should be included in a FI full authorization).

Still the approach of SAP is to actively grant each necessary authorization seperately.

As less authorizations as possible, as many as absolutely necessary.

b.rgds, Bernhard

Former Member
In response to Bernhard_SAP

‎07-14-2008 5:38 AM

0 Kudos

Hello Reddy,

As pointed out earlier there is no ready made template which can be used to assign FI authorizations completely. Also as mentioned earlier the Tcodes SE09, SPRO are not part of FI.

These Tcodes should be contained in seperate roles Like Change Coordinator & Customizer respectively and not mixed with the functional roles as they may also be required by other functions and the need to add them again and again can be minimized.

You should therefore create the role from the pfcg area menu for FI and the transactions that do not get assigned from this area menu should be assigned seperately.

As the onus of giving the complete tcode list for a job role should lie with the business and if they are able to do so they should not complaint if a few tcodes do not get assigned by following the standard approach.

Former Member

‎07-17-2008 11:47 AM

0 Kudos

Thank you all for your valuable information