
	Home > Ask the SAP software/management Experts > Basis administration for Windows Questions & Answers > How do I split Basis authorization responsibilities?

Ask The SAP Expert: Questions & Answers

EMAIL THIS

How do I split Basis authorization responsibilities?

EXPERT RESPONSE FROM: Bert Vanstechelman

		Pose a Question

		Other SAP Categories

		Meet all SAP Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 07 November 2005
Can you please give your views on the following:
The structure of SAP is such that the privilege to create a user and to allocate the role/activity to perform any function is given through a single transaction code.
The inability to allocate roles and create users or resetting their passwords through two different channels (transaction codes) is a structural weakness within SAP which can only be addressed by the technical people of SAP AG.
An ideal segregation would require these complementary functions to be performed by two different users. That is, the person who has the ability to create a user should not be allowed to assign the roles at the same time. Moreover, the fact that the structure of SAP enables any user to individually assign the roles without any other users interference does increase a inherent risk in SAP.
Moreover, based on the ideal security level the ability to allocate roles/transaction codes in SAP should not be such that it is executable by a user individually on his own.

A person who has SU01 or PFCG is, in reality, a super user. Can you suggest how to reduce the ability of the super user and especially the ability to individually assign roles to anyone, along with himself?

I'm not an authorizations expert, but I assume that it should be possible to split authorization responsibilities. The same is possible with development and customizing. In most organizations, developers and customizers are allowed to do whatever they want in the development and acceptance system. The usage of the transport system is however limited and monitored by the approval concept. In such a setup, the SAP Basis administrator is responsible for transport management.

Security and Data Protection with SAP Systems, published by SAP-PRESS in 2001, has an interesting chapter on distribution of roles and authorization maintenance. Unfortunately, the authors limit themselves to the an explanation of the concept. The technical implementation is not discussed. The chapter more or less discusses the issue you are describing and a possible solution.

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Basis administration for Windows
	Tips for setting up a default SAP BI client after implementation
	How to reset the SAP transport buffer after abnormal patch termination
	How to manually add files to an SAP transport queue
	Checking HTTP ports in an SAP system
	Changing SAP spool servers for all the printers in your QA system
	What is the recommended size of Oracle data files for SAP?
	What is the difference between SPFILE and PFILE in Oracle?
	Quick analysis of SAP BI objects
	Fixing inconsistencies in TemSe and Spool systems
	Changing a customer message priority level after it's sent

SAP Basis administration and NetWeaver administration

Collaboration a must for SAP hardware teams and software teams

How to establish communication between SAP Unicode and non-Unicode systems

Mission-critical SAP software demands a mission-critical hardware infrastructure

In an upgrade to SAP ECC 6.0, when do integrated apps get upgraded?

NetWeaver PI 7.1 easier to implement than earlier versions, SAP says

SAP Software Deployment Manager vs. Java Support Package Manager

Tips for setting up a default SAP BI client after implementation

How to reset the SAP transport buffer after abnormal patch termination

Installing SAP NetWeaver PI 7.1 on servers running ECC 6.0

How to install an add-on using a SAINT transaction in SAP Basis

SAP Basis administration and NetWeaver administration Research

SAP Basis FAQ

What are the learning resources for a Basis consultant?

Does Basis administration involve the J2EE and ABAP engines?

An intro to SAP archiving, can you provide one?

How do I set up user accesses?

Support packages and add-ons, why are they important?

How do I set up SAP Basis?

How do I fix problems when launching the SAPGUI?

What is the difference between Basis and the Application Server?

How does one identify tcodes for user types?

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

Basis (SearchSAP.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

SAP White Paper Topics

SEARCH

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2000 - 2009, TechTarget \| Read our Privacy Policy SearchSAP.com is a search service provided by TechTarget and is completely independent of and not affiliated with SAP AG.