SAP Security

I have a group of users set up with profiles only. These give them too much access. I am to change them to roles that limit their access to the job they do. I am new to SAP and the co, and it is small co, our staff is is 3. My plan is to work with the user's managers to see what they do on their job and what transaction they do. My new manager says this is not the appropriate way to do it, find a different way. Any suggestions.

Answer Wiki

Thanks. We'll let you know when a new response is added.

Your initial approach is the correct way to do this. If your manager doesn’t like this approach, ask how he/she’d do it.

A couple of ideas:
1.) Get a new manager.
2.) Go to lunch with each user individually. In a “non-business” environment you can ask them about their job and how they do it. Then try to formulate roles, adjusting as you go.
3.) Without user input, take a stab at designing their roles but make them skimpy. Have them call you when they can’t get into some transaction and adjust per their request. I’d suggest that you have them send you an email request (approved by their manager if possible) as an audit trail for CYA.

Good luck.

Discuss This Question: 3  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • PBrown
    Good Morning, It is unfortunate that your manager does not understand the security process. If you are unable to sit with user managers, try to explain to your manager that you will need copies of the business process of each department. I too work for a smaller company. We have 2 in our department. I have created custom profiles based on two criteria: 1. Access Area 2. Access Level I have created three levels of access (create, change and display) for each area (SAP module sub-functions and/or location) that we use within our company. For example: Logistics - Material Management - Material Master has profiles for each plant set up to: ** Create Material ? This allow full access and is used by the materials manager. This profile also has t-codes that provide material reporting, ability to move and delete (flag) materials. ** Change Material ? This allows change / display materials used by parts managers. ** Display Material ? This allows display only of the material master. It is assigned to parts sales and production planning personnel. It has only T-codes MM03 & MMBE ** Report Materials - This allows management to check stock levels, slow moving stock, etc. There are a few others, but these four (create, change, display and report) are found for access to every SAP module used. Start out with a limited number of transactions. This will force the users to tell you what access they need, but do not have. Create a process that will provide you with manager approval to change access. I use a form that must be signed off by the branch manager, immediate supervisor and myself. If you are able, send out instructions to the users on how to use SU53. Because we are smaller, I am also the helpdesk. This gives me an opportunity to speak directly to users when they have authorization problems. Depending on the SAP version that you have you may be able to view the authorization failure message along with the user. I hope this helps some. Feel free to e-mail me directly. I would be glad to share some of my strategies and to assist you in setting up. Best of luck. P. Brown
    0 pointsBadges:
  • Solutions1
    Are you addressing a recognized problem? What senior stakeholder(s) recognize the problem? What senior stakeholder(s) will face down users who find themselves unable to see or do what they now are able to see or do. Cutting back permissions presents dangers, both practical and political, so if the answers to the above questions are "no, no, and nobody," I suggest waiting until the answers are "yes, yes, and the CEO/owner."
    0 pointsBadges:
    Hi, I don't understand why your manager don't allow you to do the job properly. The correct and quickest way to customize the authorization roles is work with them and ask which transaction they usually use (and which ones they could or will certainly use) and add then to the role. You can also monitor them by transaction sm04, but it could be a really pain in the? Once you have a full list of the transaction they use, you can trace them (tx. trace) in order to know which object you will have to limit by the role and finally, very important, prove the role with a testing user. Then, you can assign it (them) to their user and ask them to help you to adjust it. Remember that with transaction su53, after they have had the authorization problem, they can send you the log of this authorization problem, where you can see which object/value is missing or in which profile you can customize it. i hope this help. Pablo
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: