Question:
dear sap gurus....
i dunno if iam asking this here at this time.... But iam only a beginner in basis and security...so what i would like to ask is...in my organisation we have implemented 4.6c. In our organisation we had started right from version 3.1h and had been constantly upgrading. Right now our r3 ver is 4.6c on windows/oracle. So the earlier basis administrators had not given profiles in a proper and disciplined manner...there are so many activity groups and profiles... Then as 4.6c ver was installed we basis ppl started assigning roles and started giving it to ppl. In our organistation we have almost 100 users and each have certain designation and we have given so many authorisation objects also to certain ppl. Now its not in a proper manner. We have been told by our management to revoke so many extra authorisation and give ppl according to their needs and their limit. So what i would like to ask is how should i begin this revoking and how should i give proper authorisation..Is it easier to give roles or profiles. How can we easily handle if we have to give extra authorisation to the users and in amore appropriate manner with the help of other functional consultants.
It would be greatly appreciated if any of sap experts and sap gurus to look and please share their appropriate experience and tell how they manage authorisation in their organisation.
Sorry for bothering you guys....
Best regards,
kurian
Answer:
It is very true. You have not done it in the proper manner. You should talk to the data/business process owners and ask them to define conceptual roles. These roles usually map to business processes and take into account segregation of duties. (Examples of roles: invoice processor, payment processor, vendor master data maintainer, account clearing processor etc.)
After they describe the role conceptually you get them to map business transactions to the role. Then you build the roles, test them and assign them to end users based on the data/business owners ndirections.
Each role should have an owner who approves changes to the role and sets guidelines for assigning the role. She may delegate actual assignment.
Periodically the role owner should review who has the role, what other roles they have and should give direction on whether the role should continue to be assigned.
Typically you will need no more than 4 roles per functional area (e.g. accounts payable, accounts receivable, purchasing, etc.)
_________________
bwSecurity
Answer:
We have adopted an approach like that specified by bwsecurity above.
We designed all of the new roles, and then picked a few key users in each area. They were assigned the new roles, and their old roles expired (not deleted). This enabled us to "turn back on" the old roles so their normal work wouldn't be impacted, whilst we modified the new roles. After about a week of doing their normal work, we had the new roles fine tuned, and then rolled them out to all other users across the country, whilst expiring their old roles.
After about 2 months, we finally deleted the old roles from the user profiles.
We developed Access Request Forms which are specific to each business unit and must be approved by a supervisor or manager. These list all of the roles applicable to each specific area, and we use these to assign the appropriate roles. We have been using this system for about 3 years now and it works well.
Hope this helps.
Michael.