The structure of SAP is such that the privilege to create a user and to allocate the role/activity to perform any function is given through a single transaction code.
The inability to allocate roles and create users or resetting their passwords through two different channels (transaction codes) is a structural weakness within SAP which can only be addressed by the technical people of SAP AG.
An ideal segregation would require these complementary functions to be performed by two different users. That is, the person who has the ability to create a user should not be allowed to assign the roles at the same time. Moreover, the fact that the structure of SAP enables any user to individually assign the roles without any other users interference does increase a inherent risk in SAP.
Moreover, based on the ideal security level the ability to allocate roles/transaction codes in SAP should not be such that it is executable by a user individually on his own.
A person who has SU01 or PFCG is, in reality, a super user. Can you suggest how to reduce the ability of the super user and especially the ability to individually assign roles to anyone, along with himself?
Requires Free Membership to View
When you register, you will start receiving targeted emails from my award-winning team of editorial writers. Our goal is to keep you informed on the hottest topics and biggest challenges faced by SAP professionals today.
Hannah Smalltree, Editorial Director
Security and Data Protection with SAP Systems, published by SAP-PRESS in 2001, has an interesting chapter on distribution of roles and authorization maintenance. Unfortunately, the authors limit themselves to the an explanation of the concept. The technical implementation is not discussed. The chapter more or less discusses the issue you are describing and a possible solution.
This was first published in November 2005