Question:
Hi,
First time on a SAP implementation dealing with security and the first question from the devolopers is the setting up of authorisation groups on S_TABU_DIS.
On previous projects they have left this as the default (&NC&), but are now asking whether this should be set up differently. This is on the sandbox, so I guess a decision like this is not too important as it will be for test or production, but my understanding is that once this has been set like this it can't be changed.
My questions are :-
1) If this was set up in the sandbox would that form the basis for all systems through test and production?
2) Is it good practice to set up authorisation groups and if so how should I use this as an enhancment to security?
Apologies if this had been asked before, but I am new to this and I am keen to do things correctly.
Regards.
Nick.
Answer:
1) If this was set up in the sandbox would that form the basis for all systems through test and production?
It depends on the use of you sandbox, the clasic definition is an "area to play without reprocusion and where the cat poops" SO NO it should not be the basis for other systems, that is what development is for.
2) Is it good practice to set up authorisation groups and if so how should I use this as an enhancment to security? It is a good practice but not required unless you want them in thepull bown. Auth groups are used to combine dis-similar objects into a common key for control. SAP allows ecurity to change thense values in SE54 and SUCU to allow access to be controlled to specific tables associated with a business process.
Answer:
Thanks for the reply.
If I've understood that correctly, then, I can allow &NC& to be left as the default for the sandbox and then administer security levels via SE54 or SECU on S_TABU_DIS during this phase of the project. So setting up authorisation groups at this stage would only give me a drop down as an advantage, it wouldn't preclude me from setting them up later and perhaps implementing them as a drop down in the test and production phases?
Regards
Answer:
Authorizationgroups are not configuration and can be changed any time, the sooner you do it the less changes to the role to retrofit them to accomodate the new auth groups assigned to the table... Aslo you do not need to "do anything" to &NC&, it is hard coded inthe S_TABU_DIS check to check this value if the auth group on the table is blank. SAP has actually statred to load this value on some tables.
Answer:
Thanks for the info John, much appreciated.