with an audit coming soon, our company is going to get rid of all SAP_ALL profiles in our SAP system.
Now the way I was going to do it is as follows, please give your feedback and tips:
I have seperate roles for normal users, based on their department. I have checked them as good as possible according to SOX and I think they are fine.
I have then designed a couple of IT-based profiles. One with permissions to alter/unlock users (and other user-oriented things), one to change authorizations and roles (etc...) and one with transactions that are needed in programming.
These roles should cover all IT needs.
Now I was going to remove the SAP_ALL for our consultants and IT-people and put in the significant IT-roles (a consultant would not get the authorizations and user roles), + I would create a composite role containing all the normal user roles. This comp role would then also be put into the IT-people/consultants roles.
I know composite roles are not the most popular feature on these boards, but iss there a better way to do this?
Thanks in advance
Answer:
We're doing something similar now that we've been audited. We haven't got SAP_ALL roles but some very similar.
Each area - CCC, Project, Security etc is supplying a list of transactions that they think they need and that is being reviewed. Looking at creating single roles for certain areas (Uploads, password reset etc) and chucking them in composites
Won't be fun but it has to be done sometime. Then it's working out what can be done in the transactions.
Answer:
Hi
As per my understanding you have to first analyze user requirements for the project. Based upon that create custom roles with all transaction codes as per requirement of user. Assign that role to user.
Now a days to create custom role according to requirement of user is most acceptable thing. Designing of roles according to workable team can also be helpful to you.
Hope this will help a lot.
Regards
sap11
Answer:
Thanks for the replies guys.
The designing of the user roles is not the main problem, it's just that our consultants/IT people would like to have full control of all transactions that are used by the normal (Sales, shipping etc...) people.
That's why I'm thinking about creating a composite role for IT that contains all roles of the normal users.
Answer:
The designing of the user roles is not the main problem, it's just that our consultants/IT people would like to have full control of all transactions that are used by the normal (Sales, shipping etc...) people.
Tell them to bugger off. Unless there is a solid reason why they need the ability to process business transactions in Prod (& unless they are performing a functional role there is no reason) then they should not be able to process business transactions.
If you're audiots see people without business responsibility with access to business transactions then they (rightly so) will kick up a fuss
Answer:
To beat the dead horse some more, I am now in this exact position. We have been auditted and everyone is complaining about IT having SAP_ALL and we have to get rid of it. Sure we've built roles for Security, ABAP, BASIS, etc to use. But what happens when we have to troubleshoot a problem for a user? There are many times someone calls me with an auth. problem that isn't concrete and I will repeat their steps with my authorization to see if it works.
I guess my question is, in general how is this handled? Are the administrators also denied SAP_ALL and allowed use of only transactions in their area?
Answer:
But what happens when we have to troubleshoot a problem for a user? There are many times someone calls me with an auth. problem that isn't concrete and I will repeat their steps with my authorization to see if it works.
I guess my question is, in general how is this handled? Are the administrators also denied SAP_ALL and allowed use of only transactions in their area?
You can:
- Use your QA system to replicate the user access and test that way
If you only have a Prod system, then run a trace while the user recreates the problem
_________________
Sandi
~~~~
Apparently Father Christmas, the Easter Bunny, the Tooth Fairy and Star Wars aren't real
Tuly kiwi.
Answer:
Using your QA system to replicate the user access is a good way to do it. There may be times whe client setting or missing data won't work in QA, for those situations use a fire fighter id with a role made up of full authorizations, do not use SAP_ALL, that way the auditors are happy and you control the fire fighter id with documented access, properly signed, and for a limited time only.