Question:
Hi,
I was wondering if someone can help, during a recent internal audit my company realised that users in Prod can create and maintain Info sets. They now need this to stop and have the users create them in Dev and transport them thru to Prod. I have been handed the wonderful task of finding the authorisation that is allowing the users to do this for the roles! So far I have come up with S_PROGRAM and S_TABU_DIS access which I think is allowing the users to create and maintain the Sets. Does anyone out there know of any authorisation that I may need to look at?? Any help would be nice!
thanks
from a hard working underpaid security analyst!
Answer:
Ask the auditors for their working papers documenting on which criteria they based this observation. Then fix that.
Auditors are often lazy, and almost always do not understand what they are doing and saying.
Then you can search for the other 99 ways on your own again, in peace.
Ned
Answer:
Depends on how the audit staff is using the word "info set" and does it translate directly or indirectly. Some tcode dealing with info sets are MC04, MC05, MC0C. or do they mean the reports GR21, GR31, GR55.
You will need more specifics from the audit report , either the tcode or the user so you can find the tcode, then look at removing the tcode and the underlying Auth object. (SU24 should help)