Question:
At this time we have been using a naming convention of Z: for any
roles created. I have been told that due to future upgrades we
should create any roles using Z_ as starting point. Can anyone
tell me if this is true?
Answer:
There are many posts on this issue and a search might turn some of these up.
There are many opinions, technically it will not break anything to use naming conventions such as F whatever or V whatever for FI and SD roles, however, lists of roles will mix in SAP delivered template roles in alphabetic order. If SAP ever decided to provide SAP delivered template roles that used another name space than SAP as the beginning of the role name, such as B* or A* and you were using that naming convention you would have a problem.
Using S* role naming conventions can be done but you are asking for "gotchas" to bite you when under various circumstances the S is considered part of the SAP name space and not the customer namespace. Avoid using S. Also avoid using T. I know that sound like I don't know what I am talking about, since "after all" PFCG will generate profiles with suggested profile names beginning with T. But this is the very reason to avoid using it. 1) if you use your own naming convention for profiles, a T profile will automatically be recognized to you as a temporary, test or non production version of an existing profile. 2) There is a method for Security Administration Segregation that suggests the use of T named profiles as a control method for implementing this segregation among SAP Security Admins, and I will not go any further into explaining it, but for the benifit of your learning curve if you ever attemp this method at the requests of auditors to segregate production user / role administration, you will not be confused at the concept having already included T names as part of your business role/gen profile naming convention.
You may also want to consider the issue that is the one voted "most likely to occur." A third party program that will include roles for you to copy for the authorizatoins needed, but which are often used by Basis or other technical partners involved in implementation of these products who will generate and transport the provided role template the product provided which used the Z or Y or other naming convention that might cause you confusion when listing roles, or that might be changed, and you forget that you are working with the original (oomph!!) and need to know what the orignal values were, which is trivial on recent releases, but not on 46B <
While I am thinking about it, not related to role names, you may want to control user ids that begin with SAP. This occurs often considering the common first names that begin with S and last names that begin with AP, it is easy to sweep up such users in Security Administration maintenance ABAP code you may write that does things like, strip the SAP* user of all roles, and profiles, reset and lock the id on time monthly basis automatically. (Sally Applebee is going to be very upset the next morning when after she finally gets unlocked, and then she finds out that she has no roles.) Ooomph!!
In the end it does not cause a problem to depart from Z, if you remember to avoid S, T, and of course, STDs... but that is another issue, not relative to SAP authorizations.
_________________
Gary Morris
SAP Security Analyst/Developer
garymorris@sapsecurity.net
Answer:
What I want to know is if I should use an _ in new roles I create
instead of the : we now use within a role. We always use a Z or
Y to start any role names. Thats all
Answer:
What I want to know is if I should use an _ in new roles I create
instead of the : we now use within a role. We always use a Z or
Y to start any role names. Thats all
Bloody hell, after Gary went to all that trouble to give a detailed reply I'm shocked you replied like that .
Answer:
Use the Colon :
_________________
Best Regards
Bazza
Answer:
I hope my previous reply has not offended you Gary. I really did appreciate your reply to my question and the time and detailed discription
you had put into it. To Security_1977 What does Bloody hell mean anyway.
Answer:
What I want to know is if I should use an _ in new roles I create
instead of the : we now use within a role. We always use a Z or
Y to start any role names. Thats all
Bloody hell, after Gary went to all that trouble to give a detailed reply I'm shocked you replied like that .
Although very informative, Gary's response was ultimately beside the point.