Question:
Do anyone have heard a program like
1. Is there a program which builds roles from trace files ?
I mean you do a trace on the user and then stop the trace this program should pickup all the auth objects and values from the user trace file . Is it there ?
Answer:
Good idea. I bet you could make a lot of money if you could write such a program and sell it.
Answer:
There is not and you should not rely on one that does. ST01 trace is subject to interpritation and may objects checks are NOT to be given out to the general public. Many of the chaecks are TOGGLE switches to turn things on or off in the program and if you relyed on the trace you would have a role with too much access.
There is not "quick push a button and solve my problems" in SAP Security, it all takes time and a deep understanding of the auth objects and what they allow. SAP Security is as complex as SAP.
Answer:
I have seen projects building roles from the trace files . To me first impression was this not a good thing to do .Then i analysed and found out some clients want to do that way , since that's most cost effective way out latter they can restrict the objects . Kind of approach - OPEN to CLOSE.
Using PFCG we are having all the variables in control, approach is CLOSE to OPEN as sap default values are mostly blank for fields. This is good approach for the reaudit , or other clients who have lot of pre-existing roles to start with . They can have pfcg used , but who says pfcg is the greatest tool ?? . The fresh clients to start with can use trace , it's painful but it is a good way out.
Answer:
Dr. Jarboe is very correct. You can't get good security by ape-ishly building roles out of trace files. But there is a growing niche for programs that take the thinking (and security) out of security so someone step up and take this one on.
_________________
bwSecurity
Answer:
The trace is ideal for CONFIGURING SU24 that feeds PFCG NOT as a basis for roles. You are performing a dis-ervice to the customer if you do not configure SU24 to meet the control needs so ANYTIME you add a tcode that was used before you get the consistant input into PFCG. Every merge-old add new without the addition of a tcode should NOT generate Yellow lights unless the config was changed. Relying on the trace to build roles requires you to retrace ( no pun intended) your steps to get all the info in the trace for the tcode. this is what SU24 is for, to record this info ONCE. yes SAP does not deliver SU24 complete but, your controls and configuration may dictate a change so CONFIGURE SU24/PFCG to assist you by removing the menial tasks of role development so you can concentrate on more far reaching added-value tasks, like SODs.
Answer:
But keep in mind that a transaction code is a single entry point into many varied kinds of functionality. There isn't one right answer for transaction VA01 in SU24. You can create a general answer but VA01 can be used in a variety of ways in different roles and the activities and values that these roles may require could be different all with the same VA01.
_________________
bwSecurity
Answer:
Hi Matt,
Have you heard of the saying "prevention is better than cure"? It applies to this situation perfectly. If you give too much freedom to users, the damage it could inflict on your system's data would almost certainly have occurred BEFORE you get around to plugging up the holes.
And also think of the kind of damage we're talking about. You will have accounting documents posted to wrong accounts, payments made to the wrong vendors, shipments delivered to the wrong locations..... these are all irrepairable damage.
I have 3 words for you: Don't go there.
Answer:
Hi Matt,
Have you heard of the saying "prevention is better than cure"? It applies to this situation perfectly. If you give too much freedom to users, the damage it could inflict on your system's data would almost certainly have occurred BEFORE you get around to plugging up the holes.
And also think of the kind of damage we're talking about. You will have accounting documents posted to wrong accounts, payments made to the wrong vendors, shipments delivered to the wrong locations..... these are all irrepairable damage.
I have 3 words for you: Don't go there.
There is no security in SAP that can prevent miscoded accounting documents, payments to wrong vendors and shipments to wrong locations.
_________________
bwSecurity
Answer:
Hi Bwsecurity,
There is no security in SAP that can prevent miscoded accounting documents, payments to wrong vendors and shipments to wrong locations.
Why not? The damage you can prevent using SAP Security always depends on how you use it.... how you design the overall authorization structure.
If someone was not meant to have authority to perform a certain process, most likely that person does not know how to do it correctly. Vice versa, if you knew someone doesn't have the knowledge to do something correctly, you wouldn't give him/her the authorization to do it.
An example, let's say you've hired a new accounting clerk. Since he's new, you would expect him to make some mistakes initially. If you give him authorization to freely post accounting documents, you're likely to get wrong postings made. Instead, it would be a better idea to give him only authorization to park documents, and have his supervisor QA his work before posting.
See? There are many other examples, but what i'm trying to say is, the amount of damage prevention you can achieve with SAP Security depends on your own design.... SAP just provides you with all the building blocks.
Cheers.
Answer:
Hi Bwsecurity,
There is no security in SAP that can prevent miscoded accounting documents, payments to wrong vendors and shipments to wrong locations.
Why not? The damage you can prevent using SAP Security always depends on how you use it.... how you design the overall authorization structure.
If someone was not meant to have authority to perform a certain process, most likely that person does not know how to do it correctly. Vice versa, if you knew someone doesn't have the knowledge to do something correctly, you wouldn't give him/her the authorization to do it.
An example, let's say you've hired a new accounting clerk. Since he's new, you would expect him to make some mistakes initially. If you give him authorization to freely post accounting documents, you're likely to get wrong postings made. Instead, it would be a better idea to give him only authorization to park documents, and have his supervisor QA his work before posting.
See? There are many other examples, but what i'm trying to say is, the amount of damage prevention you can achieve with SAP Security depends on your own design.... SAP just provides you with all the building blocks.
Cheers.
Yes, the security manager can become the training manager, the supervisor, the quality assurance manager etc. but this is very costly and pretty soon they'll find a way around it. But if keeping power and control are your personal agenda then by all means keep trying to prevent errors using SAP security.
_________________
bwSecurity
Answer:
As BWSecurity suggests...
Security is NOT:
1. a substitute for training,
2. reason to abdicate one's responsibility
3. Mechanism to provide "wants" versus "needs"
4. replacement for poor business practices
Security is
A mechanism to prevent loss to the company tempered by the cost to implement... Keep it simple...
I am no sure why companies beleive they have to Park a document and then have someone else post it. No invoice should be posted unless it is approved by the receiver of the service. Why even enter it in the system SAP ignores it when it comes to financials. Yes it is a method of "dunning" the service receiver as you can keep track of parked documents and help vendors who have not been paid, but is that you reason for being?
Parking and then posting is not entering the data ONCE, This tantamount to double entry method and is a gross waiste of money and time. DO the work once!
Train your people, improve your processes and fire those that do not comply... "resistance is futile"...It also sends a message you mean it...
Answer:
bwsecurity,
Yes, the security manager can become the training manager, the supervisor, the quality assurance manager etc. but this is very costly and pretty soon they'll find a way around it. But if keeping power and control are your personal agenda then by all means keep trying to prevent errors using SAP security.
Uh.... No, "keeping power and control" are not my personal agenda, just want to create a proper Authorization Matrix by WORKING with the people you mentioned.
By the way, you are correct. There is no security in SAP that can prevent miscoded accounting documents, payments to wrong vendors and shipments to wrong locations.