Home > SAP FAQs > SearchSAP.com expert FAQ > SearchSAP.com FAQs > SAP Basis FAQ > SAP Basis FAQ > How do I split Basis authorization responsibilities?
FAQs: SearchSAP.com expert FAQ:
EMAIL THIS
 START   SEARCHSAP.COM FAQS   
SearchSAP.com FAQs


SAP Basis FAQ
<< PREVIOUS | NEXT >>: How do I fix problems when launching the SAPGUI?

How do I split Basis authorization responsibilities?

Bert Vanstechelman EXPERT RESPONSE FROM: Bert Vanstechelman

Pose a Question
Other SAP Categories
Meet all SAP Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 07 November 2005
Can you please give your views on the following:

The structure of SAP is such that the privilege to create a user and to allocate the role/activity to perform any function is given through a single transaction code.

The inability to allocate roles and create users or resetting their passwords through two different channels (transaction codes) is a structural weakness within SAP which can only be addressed by the technical people of SAP AG.

An ideal segregation would require these complementary functions to be performed by two different users. That is, the person who has the ability to create a user should not be allowed to assign the roles at the same time. Moreover, the fact that the structure of SAP enables any user to individually assign the roles without any other users interference does increase a inherent risk in SAP.

Moreover, based on the ideal security level the ability to allocate roles/transaction codes in SAP should not be such that it is executable by a user individually on his own.

A person who has SU01 or PFCG is, in reality, a super user. Can you suggest how to reduce the ability of the super user and especially the ability to individually assign roles to anyone, along with himself?


>
EXPERT RESPONSE
I'm not an authorizations expert, but I assume that it should be possible to split authorization responsibilities. The same is possible with development and customizing. In most organizations, developers and customizers are allowed to do whatever they want in the development and acceptance system. The usage of the transport system is however limited and monitored by the approval concept. In such a setup, the SAP Basis administrator is responsible for transport management.

Security and Data Protection with SAP Systems, published by SAP-PRESS in 2001, has an interesting chapter on distribution of roles and authorization maintenance. Unfortunately, the authors limit themselves to the an explanation of the concept. The technical implementation is not discussed. The chapter more or less discusses the issue you are describing and a possible solution.


Sound Off! -   Be the first to post a message to Sound Off!


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


<< PREVIOUS | NEXT >>: How do I fix problems when launching the SAPGUI?
VIEW ALL IN THIS CATEGORY

RELATED CONTENT
Basis administration for Windows
What does the Parameter tab mean in SU01
Changing a customer message priority level after it's sent
Fixing inconsistencies in TemSe and Spool systems
Common 'sequential read' misconception
List of deletable SAP system files
How do I know if a profile parameter is dynamically changeable or static?
The difference between SAP notes and support packages
The difference between NetWeaver 2004s SR1 AND SR2
What is wrong with an SAP MMC console that won't start?
How to monitor update processes and update records

SAP Basis
Basis consultant wants to learn NetWeaver Portal
SAP administration information for a Basis interview
Quiz: SAP ABAP development
What does the Parameter tab mean in SU01
Changing a customer message priority level after it's sent
Basis administration info in preparation for an interview
Easier maintenance of output types, procedures, conditions, etc.
Fixing inconsistencies in TemSe and Spool systems
Is this the quickest way to find a BADI?
RFC timeout problems
SAP Basis Research

SAP Basis FAQ
What are the learning resources for a Basis consultant?
Does Basis administration involve the J2EE and ABAP engines?
An intro to SAP archiving, can you provide one?
How do I set up user accesses?
Support packages and add-ons, why are they important?
How do I set up SAP Basis?
How do I fix problems when launching the SAPGUI?
What is the difference between Basis and the Application Server?
How does one identify tcodes for user types?

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
Basis  (SearchSAP.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
Browse our Expert Advice

HomeNewsTopicsBlogsTipsAsk the ExpertsMultimediaWhite PapersProducts
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2000 - 2008, TechTarget | Read our Privacy Policy
SearchSAP.com is a search service provided by TechTarget and is completely
independent of and not affiliated with SAP AG. 		  TechTarget - The IT Media ROI Experts