- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- S_ADMI_FCD with DBA authorization - needed only fo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
S_ADMI_FCD with DBA authorization - needed only for system administration?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-19-2010 8:41 AM
SAP note 1446530 enables one to use again the SE16n edit function on a case to case basis. As an authorization check it uses S_ADMI_FCD with field DBA.
I found that we are having quite some old roles and profiles that contain this combination and now I am wondering if this is clearly only an authorization needed for system administration (as SU 21 states: data base administration), or if it is also needed for some "business" transactions in the background? If first would be the case it would be quite easy to just remove the combination from all roles...
Regards
Martin
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-19-2010 10:03 PM
Hi,
you can check table USOBT to see in which transactions is object S_ADMI_FCD checked. I know that this does not mean that it can't be checked anywhere alse but it gives you an idea where it is used. In our systems it's assigned to transactions which start with DB* and transaction CU02. I am not sure why it's required in CU02 but only this transaction looks like business transaction.
I also checked roles in our system and there are some SAP roles with authorization for DBA but it looks like all of them are for power users. So I assume guys were lazy to identify all activities correctly and they put there * instead.
If you have some time then you can try to check it by yourself. Just look for where object S_ADMI_FCD is used and then go through list and look for check for DBA. From program name you should be able to derive where it is used. Again, with this tedious process you can still miss something.
Cheers
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-19-2010 8:48 AM
Martin,
Authorization object S_ADMI_FCD is concerned to system adminitration tasks like SM04 and SM59.
Make sure there is no full access given to S_ADMI_FCD object.
Thanks,
Sri
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-19-2010 8:50 AM
Hello Sri,
would you please carefully read my post before answering to it?
I am totally aware of what S_ADMI_FCD does! I am looking for the DBA field.
Best regards
Martin
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-19-2010 8:55 AM
Martin,
DBA: it should be given to database adm / Basis guys only.
http://help.sap.com/saphelp_NW70/helpdata/de/99/23f31f49c04227a07cf6e09725c50b/content.htm
Thanks,
Sri
Edited by: sri on Jul 19, 2010 3:59 AM
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-19-2010 12:56 PM
Hi Martin,
As far as I am aware there is no requirement for any business transactions to require S_ADMI_FCD with DBA for business transactions. Even the other permutations of S_ADMI_FCD are relatively infrequent.
Is DBA specifically maintained in the roles/profiles or has it got there through use of *?
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-19-2010 1:12 PM
At least I could identify it in a general enduser role. SAP made a strange job providing SAP_BC_ENDUSER with a S_ADMI_FCD and "*" value, and one role has been created by copying this role and not changing/inactivating this...
Regards
Martin
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-19-2010 2:00 PM
It will be a pain if the * is in an end user role. There are are a few that may pop up and cause you problems if they haven't been updated elsewhere (I am thinking along the lines of values like SP01, SP0R, PADM).
Good luck with the removal/remediation. It should be a lot less painful than trying to do the same with S_RFC
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-19-2010 5:32 PM
Hi Martin,
Why dont you copy that role , and have the necessary authorizations and provide it to users who are going to administer the systems.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-19-2010 10:03 PM
Hi,
you can check table USOBT to see in which transactions is object S_ADMI_FCD checked. I know that this does not mean that it can't be checked anywhere alse but it gives you an idea where it is used. In our systems it's assigned to transactions which start with DB* and transaction CU02. I am not sure why it's required in CU02 but only this transaction looks like business transaction.
I also checked roles in our system and there are some SAP roles with authorization for DBA but it looks like all of them are for power users. So I assume guys were lazy to identify all activities correctly and they put there * instead.
If you have some time then you can try to check it by yourself. Just look for where object S_ADMI_FCD is used and then go through list and look for check for DBA. From program name you should be able to derive where it is used. Again, with this tedious process you can still miss something.
Cheers
- SAP Managed Tags:
- Security
