- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- ABAP Consultants demand SAP_ALL
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ABAP Consultants demand SAP_ALL
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-11-2006 2:34 AM
Hi,
In oour company the ABAP developer is enjoying the privilage of SAP_ALL, now we want to chnage this and want to limit the accces. But the ABAP consultants are demanding for full access of all the Business Transactions for their daily work.
I have proposed Snadard developer role along with few additional transaction.
is it really needed to give the full access to ABAP consultants. please suggest. or what is the best way to build the security for ABAP consultants.
Regards,
Ram
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-11-2006 3:15 AM
SAP_ALL is not supposed to be given and is to be carefully used especially in production systems... Before we get into further...
- Which system the developers asking for SAP_ALL
- Did you ask them for any specific reason why they are asking for SAP_ALL
- What kind of profile/ authorization management you are following in your company for various roles?
I would say, in any system (doesn't matter whether is it productive system or not), SAP_ALL should never be given to any one. Ask them what kind of authorization they need - which objects they need to edit/ create... in addition to the std developer role... You might come up with a some kind of role where that can be given to those...
Regards
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-11-2006 3:15 AM
SAP_ALL is not supposed to be given and is to be carefully used especially in production systems... Before we get into further...
- Which system the developers asking for SAP_ALL
- Did you ask them for any specific reason why they are asking for SAP_ALL
- What kind of profile/ authorization management you are following in your company for various roles?
I would say, in any system (doesn't matter whether is it productive system or not), SAP_ALL should never be given to any one. Ask them what kind of authorization they need - which objects they need to edit/ create... in addition to the std developer role... You might come up with a some kind of role where that can be given to those...
Regards
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-11-2006 5:11 AM
Hi Reddy,
A few inputs from my side.
1. In The Development client, i give only SAP standard Developer role and any extra Tcodes i try to create single ADD ON roles with limited validity.
2. In the Unit Test Client, I give all Business roles to these developers along with Developer Role.( Creted Copy of all business roles and assigned to one composite role and i assign it to DEV people - Helpful at many times)
3. The same Comp role can be given in QTY environ as well.
If the above is a difficualt task ...Also try copying the profile SAP_ALL to a role and make all BASIS related objects Inactive. This role has to be carefuly created and the restriction on S_TCODE has to be huge and made very cautiously..
Ranges for Tcodes can be a solution in this case and would be helpful,.
Hope these inputs are helpful.
Br,
Sri
Award points for helpful answers
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-11-2006 8:57 AM
Hi
At the end of the day you won’t succeed in limiting your developer’s access to you development system. You need to trust your developers (and SAP BASIS admins), if you don’t get somebody else!
<i>I know this statement is somewhat controversial.</i>
<b>But remember:</b>
Authorization check’s are implemented in directly in the ABAP Code – With access to debug with replace, and you definitely need this as a developer, you’re able to change the return code from an authorization check, and there by skipping the restrictions that you been trying to enforce.
Developers are able to access read/write to all of your SAP Tables. If they behaving according to best practice, they would use standard BAPI’s and function modules/methods. These will often have authorization checks implemented. But they are also able to use the select, modify, update etc. statement to manipulate tables and tables content directly.
Your SAP Implementation should support your business, if you by your security setup make it to difficult for your developers to perform the required task, the cost of ownership will increase, and you will become a part of the problem not the solution. I have often seen to rigid security setups. The result of these is that your developers will have to create/find workarounds, either through debugging around authorization checks, call a report/function modules directly, find other transactions in which they could perform the same task, or even do some development them self’s.
This <b>doesn’t</b> mean you should grant them a SAP_ALL Access, Creating a role with limited access is a good way of communication, that is - “if you haven’t got access, it’s because you shouldn’t touch this”,
I would always suggest that you, on development, gives your developers full access to all business transactions, they will often be in a situation where they will need to test/debug/find standard functionality in the business transactions. What you should look at is the authorization object that could effect the overall stability/security of your system. This could be user and profile objects, access to table group SS and SA (S_TABU_DIS), the S_ADMI_FCD, access to create RFC Destinations etc.
Regards
Morten Nielsen
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-11-2006 9:52 AM
Hi,
Thank you very much for the Help. I have one more issue now. I have created 3 single roles for ABAP developers to give all the authorizations needed. and in one of the role which is ment purly for Business transactions, the system has added su01 also under S_TCODE. we do not want the ABAP consultnats to have access to this. But the node is STANDARD type. how to remove SU01.
please Suggest.
Thank you very much in advance.
Regards,
Ramakrishna Reddy
-
Standard Transaction Code Check at Transaction Start S_TCODE
Standard Transaction Code Check at Transaction Start T-DP37006600
Transaction Code 0KW7, 0VRF, 0VTA, 0VTB, 0VTC, 0VTD, 0VTE, 1KE0, 1KE4, 1KEE, 1KEK, 2KEE<...> TCD
-
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-11-2006 9:58 AM
Hi
Checked the user menu - my guess is you'll find SU01 in there somewhere
Regards
Morten Nielsen
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-11-2006 10:05 AM
Hi,
I can see SU01 under S_TCODE. but since it is a standard node it is not letting me to modify the values.
I can not even remove total node because it has long list of transactions associated with it.
Regards,
Ramakrishna Reddy
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-11-2006 10:22 AM
Hi
If it's marked as standard without the possibility to change the node, it's because it's included in the Role Menu. In order to delete it, you need to locate it in the role menu, and delete it there.
Regards
Morten Nielsen
- SAP Managed Tags:
- Security
