Question:
Hi,
I have a basic question. Suppose I assign like 10 to 20 transaction codes to a role, the pfcg will pull up some list of related authorization objects for the assigned t-code. These authorization objects may belong for example to basis or functional areas. For many of these authorization objects the field values are not maintained. My question is, How will we know what field values need to be maintained especially for critical authorization objects related to Basis and Abap. What is the best practice ? Especially for Activity field what do we maintain. If we just put ' ' what will be the consequence? will the transaction codes work properly?
I have searched the forum but I could not get the clear picture.
Thanks.
Answer:
How will we know what field values need to be maintained especially for critical authorization objects related to Basis and Abap. As a beginner you will not know...Ask the functional and Basis team.
What is the best practice ? Learn what the object controls and study the corporate control requirements
Especially for Activity field what do we maintain. The activity is associated to the tcode, for MANU tcodes they are apparant, Create PO, then activity is Create, etc. ST01 trace aill show what is checked, generally if you do not have the access you cannot run the tcode, there are exceptions....
If we just put ' ' what will be the consequence? THe tcode will not run or it will run as another tcode did have the same value but supplied. ST01 will tell you.
will the transaction codes work properly? Depends, is the needed value supplied by another tcode?
I have searched the forum but I could not get the clear picture. There is not one, experience and long hours of trial and error and studying the object, the way SAP runs and learning control concerns.
Answer:
It doesn't sound like you are a security beginner...
1) Check whether the transaction you are adding is the least restrictive one for achieving what the user needs. BPML is a good place to start from for this <= Responsibility of the customer.
2) Perhaps SAP should issue a cummulating note on things which require correction in SU24?
But I guess that would cause havock for customers due to the adjustments required for the roles or profiles.
Also check Authorizations Made Easy on Garry Morris's web site.
Moral of the story: Right first time with lots of thinking and testing before you decide on the design.
Also be brave! When you realize that the design is standing on it's head, change it earlier rather than latter. Otherwise, it costs more to fix due to the ever increasing amount of dependencies on the errors.
Hope that helps!
Ned