Question:
Does anyone know what transactions a basis administrator should have? We have been ask to delimit the authorisations in SAP (even though they can access it through the database) to just what they need.
Any help is appreciated.
Answer:
You can create a role for basis two ways.
Use the tcodes run option in ST03N (ST03) and remove the functional tcodes and all the security tcodes or create a role form the Basis menu path in the default menu Tools-> Administration and remove the security tcodes.
You can generalise that all the 'S' tcode belong to Bassis except the security ones, but then you miss the AL08's. DB12's etc.
Answer:
This is a fast way.
Create a sap_all look alike from a template then go in and deactivate all the objects for all the modules except basis and cross application and possibly classification and document management (you get the picture). Also deactivate the security objects and possibly fine tune the authorizations for S_ADMI_FCD and S_LOG_COM etc.) The auditors will croak at the number of tcodes but if you are doing a real risk assessment and cost benefit analysis this may be perfectly adequate.
I am sure that there will be plent of comments to follow on additional changes you would have to make. Consider them all.
_________________
bwSecurity
Answer:
You are probably better off creating accountability and eliminating anonymity in basis, than restricting auths on the application servers.
Restrict DDIC & Co. rather than tcode if you want to contain risks.
Tarr