Comments on: SAP Security http://itknowledgeexchange.techtarget.com/itanswers/sap-security/ Sat, 26 May 2012 09:33:09 +0000 http://wordpress.org/?v=2.6.2 By: PLANIT http://itknowledgeexchange.techtarget.com/itanswers/sap-security/#comment-38910 PLANIT Thu, 04 Jan 2007 07:32:58 +0000 #comment-38910 Hi, I don't understand why your manager don't allow you to do the job properly. The correct and quickest way to customize the authorization roles is work with them and ask which transaction they usually use (and which ones they could or will certainly use) and add then to the role. You can also monitor them by transaction sm04, but it could be a really pain in the? Once you have a full list of the transaction they use, you can trace them (tx. trace) in order to know which object you will have to limit by the role and finally, very important, prove the role with a testing user. Then, you can assign it (them) to their user and ask them to help you to adjust it. Remember that with transaction su53, after they have had the authorization problem, they can send you the log of this authorization problem, where you can see which object/value is missing or in which profile you can customize it. i hope this help. Pablo Hi,

I don’t understand why your manager don’t allow you to do the job properly.
The correct and quickest way to customize the authorization roles is work with them and ask which transaction they usually use (and which ones they could or will certainly use) and add then to the role.

You can also monitor them by transaction sm04, but it could be a really pain in the?

Once you have a full list of the transaction they use, you can trace them (tx. trace) in order to know which object you will have to limit by the role and finally, very important, prove the role with a testing user.
Then, you can assign it (them) to their user and ask them to help you to adjust it.

Remember that with transaction su53, after they have had the authorization problem, they can send you the log of this authorization problem, where you can see which object/value is missing or in which profile you can customize it.

i hope this help.

Pablo

]]> By: solutions1 http://itknowledgeexchange.techtarget.com/itanswers/sap-security/#comment-38911 solutions1 Wed, 03 Jan 2007 13:12:39 +0000 #comment-38911 Are you addressing a recognized problem? What senior stakeholder(s) recognize the problem? What senior stakeholder(s) will face down users who find themselves unable to see or do what they now are able to see or do. Cutting back permissions presents dangers, both practical and political, so if the answers to the above questions are "no, no, and nobody," I suggest waiting until the answers are "yes, yes, and the CEO/owner." Are you addressing a recognized problem? What senior stakeholder(s) recognize the problem? What senior stakeholder(s) will face down users who find themselves unable to see or do what they now are able to see or do. Cutting back permissions presents dangers, both practical and political, so if the answers to the above questions are “no, no, and nobody,” I suggest waiting until the answers are “yes, yes, and the CEO/owner.”

]]> By: PBrown http://itknowledgeexchange.techtarget.com/itanswers/sap-security/#comment-38912 PBrown Tue, 02 Jan 2007 10:01:09 +0000 #comment-38912 Good Morning, It is unfortunate that your manager does not understand the security process. If you are unable to sit with user managers, try to explain to your manager that you will need copies of the business process of each department. I too work for a smaller company. We have 2 in our department. I have created custom profiles based on two criteria: 1. Access Area 2. Access Level I have created three levels of access (create, change and display) for each area (SAP module sub-functions and/or location) that we use within our company. For example: Logistics - Material Management - Material Master has profiles for each plant set up to: ** Create Material ? This allow full access and is used by the materials manager. This profile also has t-codes that provide material reporting, ability to move and delete (flag) materials. ** Change Material ? This allows change / display materials used by parts managers. ** Display Material ? This allows display only of the material master. It is assigned to parts sales and production planning personnel. It has only T-codes MM03 & MMBE ** Report Materials - This allows management to check stock levels, slow moving stock, etc. There are a few others, but these four (create, change, display and report) are found for access to every SAP module used. Start out with a limited number of transactions. This will force the users to tell you what access they need, but do not have. Create a process that will provide you with manager approval to change access. I use a form that must be signed off by the branch manager, immediate supervisor and myself. If you are able, send out instructions to the users on how to use SU53. Because we are smaller, I am also the helpdesk. This gives me an opportunity to speak directly to users when they have authorization problems. Depending on the SAP version that you have you may be able to view the authorization failure message along with the user. I hope this helps some. Feel free to e-mail me directly. I would be glad to share some of my strategies and to assist you in setting up. Best of luck. P. Brown Pbrown@aepl.ca Good Morning,

It is unfortunate that your manager does not understand the security process. If you are unable to sit with user managers, try to explain to your manager that you will need copies of the business process of each department. I too work for a smaller company. We have 2 in our department. I have created custom profiles based on two criteria:

1. Access Area
2. Access Level

I have created three levels of access (create, change and display) for each area (SAP module sub-functions and/or location) that we use within our company. For example: Logistics - Material Management - Material Master has profiles for each plant set up to:
** Create Material ? This allow full access and is used by
the materials manager. This profile also has t-codes
that provide material reporting, ability to move and
delete (flag) materials.
** Change Material ? This allows change / display
materials used by parts managers.
** Display Material ? This allows display only of the
material master. It is assigned to parts sales and
production planning personnel. It has only T-codes
MM03 & MMBE
** Report Materials - This allows management to check
stock levels, slow moving stock, etc.

There are a few others, but these four (create, change, display and report) are found for access to every SAP module used.

Start out with a limited number of transactions. This will force the users to tell you what access they need, but do not have. Create a process that will provide you with manager approval to change access. I use a form that must be signed off by the branch manager, immediate supervisor and myself. If you are able, send out instructions to the users on how to use SU53. Because we are smaller, I am also the helpdesk. This gives me an opportunity to speak directly to users when they have authorization problems. Depending on the SAP version that you have you may be able to view the authorization failure message along with the user.

I hope this helps some. Feel free to e-mail me directly. I would be glad to share some of my strategies and to assist you in setting up.

Best of luck.

P. Brown
<a href="mailto:Pbrown@aepl.ca">Pbrown@aepl.ca</a>

]]>