Question:
On the development system, If I have to set up roles to the functional consultants specific to their working modules, what would be the best approach. The approach that I can think of is to create a role by copying the module from the standard sap menu and then maintaining authorizations for it. On SPRO access too, provide access to only those t-codes in SPRO that are specific to the relevant module. am I thinking in the right direction?
What is the usual approach for access to the developers and functional consultants on the development system and in the QAS system.
Thanks,
Security_beginner
Answer:
Hi,
I think you can go to the "SAP Menu" option which is there in the "PFCG". And there you can select all the tcodes in a particular functional module. Transaction codes related to a particular module.
I think it should work it out.hopefully!!!!!!!!!!!!
Answer:
Development = Copy SAP_ALL and remove key basis ( S_ADMI_FCD) and all Security objects (S_USER_xxx). Do not limit Development too closely or they developers/configurers will find the wrong way to configure SAP.
QAS = the roles the user has in production plus a small "look at things" type role for viewing development objects and configuration.
Answer:
Agree. In QAS you may also want to enter a debugging capability for your developers and even configurers. This does introduce a little risk but certainly minor inn a QAS environment.
Answer:
Hi
we are building technology roles in QA and Production ,
In QA
we are planning to have these roles
a) Basis ,
b) security ,
c) abap (progam & table display, do they need debugging access in QA) ,
d) functional users (no configuration)
In PRD
a) Basis ,
b) security ,
do we need abap and functional roles in PRD ? if so what needs to be given
for Basis and security roles should we copy SAP_ALL and restrict role and user management for basis and restrict basis transactions for security roles , or should we build these roles making a list of transactions basis and security use and maintain in S_TCODE , if so how do we make a list of regular transactions basis uses
also are there any other roles required in QA and PRD or any restrictions to be taken care
thanks in advance
Answer:
You do need support roles for ABAPers in production. It should be basically code display. There is a small amount of risk. Users who can display code can execute unprotected type 1 programs.
You also need configuration display access in PRD. Some folks get around this by setting up a table compare mechsnism that they let support users use remotely.