[1460] in SAPr3-news
Re: THE authorization Concept. (R3)
daemon@ATHENA.MIT.EDU (Andy Burrows)
Mon Jun 10 09:59:51 1996
To: sapr3-news@MIT.EDU
Date: Fri, 07 Jun 1996 18:23:44 GMT
From: Andy@aburrows.demon.co.uk (Andy Burrows)
kent518@aol.com (Kent518) wrote:
>You are correct, security within SAP is not easy.
>Best advice, although simple is to practice KISS - keep it simple stupid.
>Seriously, start by identifying transactions you desire for a particular
>profile (ie. accounts payable clerk, receiver, etc.) and determine the
>objects needed for each transaction. When you have a compilation of the
>transactions and objects, you need to construct and revisit the profiles.
>You are likely to have numerous overlaps and may have access to
>transactions you did not intend. Best here to re-evaluate if it is
>necessary to prevent access.
> Also, try to identify "levels" of profiles that build upon each other.
>This will make it easier and quicker to assemble. DO NOT CREATE CUSTOM
>IDS FOR EACH USER. I work for a Fortune 150 company implementing
>MM(purch) and FI/CO. We had 2 full time security persons plus alot of
>work by the process team members working at least 2 months to establish
>security controls.
>Finally, the transaction /nsu53 is helpful in determining WHY a
>transaction connot be accessed.
>Hope this helps
Good Advice !
In order for /nSU53 to be able to work you first need to ensure that
the system profile parameter:
auth/check_value_write_on = 1
has been enabled and the AppServer restarted.
Also I find that the ABAP/4 trace helps when finding out what
authorisation objects are checked when you run a particular
program/transaction.
Good luck !
