Question:
Hi
Until now I have avoided using the authorization group for abaps, (no S_DEVELOP etc in production for other than just a few basis guy’s) but now I’m faced with a customer where the use of authorization group for abaps could be very useful.
The case is as follows: from time to time a developer will need access to the production environment in order to provide 2. and 3. level support. They will off course need access to object S_DEVELOP, Transaction SE80 etc, and they will also need to be able to execute report from SA38.
My question is – If I do not want to give them access to execute all report in the system, what is then best practice? How do I control which report they should be able to run and which they should not? We discussing a naming convention for the authorization group in order to be able to separate “harmless” report from critical report, but as far as I can see it - this is almost impossible.
Do anybody have any experience with this ?
Regards
Morten
Answer:
Several Options
Code view access.
Set up a cpic with view only access and let them use the split screen editor form DEv and not logon to Production at all. The system is set to NOT Changeable so then cannot correct the code there anyway.
Execution control.
1. Most secure, and actually the only sure way to control, place an auth group on all executable reports in the system and allocate them to the groups who need to use them ( about a three day uninterupted process). Requires ongoing effort as SAP constantly generates new reports.
2. tie all used reports to roles in PFCG where PFCG causes you to create a tcode then let the Abapers have access to the tcodes for execution, NO SA 38 given... loophole. with the proper access ( S_DEVELOP) they can switch to a new report and execute un protected reports
Answer:
Several NO SA 38 given... loophole. with the proper access ( S_DEVELOP) they can switch to a new report and execute un protected reports
And with S_DEVELOP FUGR, they can remove any Authorization Groups which get in their way.
Answer:
Several Options
Code view access.
Set up a cpic with view only access and let them use the split screen editor form DEv and not logon to Production at all.
John,
I've set up an id in production as "Communications", but when I try to use it in SE38/SplitScreen/Across the systems/Display, I get the following message" Please logon with a dialog user".
We are on SAP R/3 Enterprise.
If it has to be a dialog user, then ABAPers will be able to login directly in PRD using this id.