[100] in sapr3-soft
Re: SAP R/3 Security and Change Control Administration
daemon@ATHENA.MIT.EDU (Phil Badger)
Sun Mar 9 13:58:15 1997
To: sapr3-soft@MIT.EDU
Date: 4 Mar 1997 08:18:08 -0500
From: "Phil Badger" <Philip_Badger@techsol.com> (by way of SAP Moderator <sap-request@realtimeusa.com>)
Brent Eckhoutby way of SAP Moderator <sap-request@realtimeusa.com>
<eckhout@flash.net> wrote:
> Greetings SAPpers:
>
> We are in the process implementing R/3 at our division with SAP America
as
> our configuration partner. As a newbie, I have a couple of questions.
>
> Some background-- the Basis consultant is strongly recommending that we
add
> a full-time PC support technician, a security administrator, and a change
> control administrator to our project team. The PC support is not a big
> problem-- we are going to add $50/hr contractor for the duration of the
> project. But, for the other positions I am having trouble creating job
> descriptions for the roles. The SAP consultants are not being too
helpful.
> Depending on who you talk to, each consultant has their own opinion.
>
> Now to the questions-- does anyone have some job descriptions for the
> security and change control administration positions as it relates to
R/3?
> Also, do these jobs only last through development and implementation?
If
> not, how do these jobs change after implementation? I have some ideas on
> the description for the R/3 security administrator after reading some of
> SAP's on-line documentation but I feel what I have written is inadequate.
>
> Any advice and help would be greatly appreciated.
>
> ===============================
> Brent Eckhout
> Information Technology Specialist
> Lockheed Martin Vought Systems
> ------------------------------------------------------------
> Work Email: eckhout@vs.lmco.com
> Work Phone: 972-603-7359
> Home Email: eckhout@flash.net
> ==============================
Hi Brent,
Allow me to try and answer your questions. These are my interpretations of
the positions you described...
A Security Administrator is responsible for defining and creating
authorizations and profiles to control access to the system. An SAP
authorization defines what transactions a user can perform, and which data
he can work with. Typically, an authorization is made up of two items,
defined by an authorization object; activities that the user can perform
(such as create, change, display, delete, etc) and values for the data
which can be controlled. Authorizations are then grouped into profiles
which are assigned to a user. This definition makes more sense with a real
life example: when entering a financial document into R/3, such as an
invoice, a set of authorizations are checked for each value in the
document, such as the document type, account type, company code, etc.
Depending on the needs of your accounting department and your companies
polices, you use authorizations to restrict values for these objects can be
used. The beauty of the whole structure is that you have very precise
control over system and data access; the downside is that the whole
authorization structure can quickly become a beast to administer.
A good security administrator will need to begin by interviewing the key
people within your organization to understand their local needs; what
should people in a department be doing and seeing? What departmental roles
exist? What data are they allowed to work with? Which transactions are
needed to complete their daily tasks? Knowing this, he/she can begin to
create relevant authorizations and profiles. Additionally, he/she should
have a good working knowledge of the applications, although not necessarily
to a detailed level, but he/she should certainly know the main
transactions, how the system integrates and which authorization objects
he/she has at his/her disposal. Ability to identify and highlight
potential security holes is also a plus, so an understanding of basic
standard business practice is also recommended. Last but by no means
least, ability to produce useful documentation on your authorization
structure is highly prized.
A Change Control Administrator is there to manage your corrections and
transport system. Typically, SAP development follows a three-step course.
Configurations are made in a development system, where changes are allowed
and each one demands that a change request is created. Once satisfied that
the configuration is complete, the configurer/developer releases the change
request. This is "transported" into a test system (in which direct changes
are not allowed), where the necessary staff check the integrity of the
configuration and ensure that system integration is not compromised. Once
satisfied that the change is good, it can be moved into your production
system (again, no direct changes allowed here).
The Change Control Administrator is there to manage this whole process and
keep track of each request. He/she ensures that the transports are moved
successfully from system to system and that the policies for your
development effort are adhered to. Additionally, the CCA will be called
upon to apply repairs to the SAP ABAP/4 code (normally as dictated by SAP
notes) and ensuring that the programs are adequately tested before being
moved into the productive environment.
Now onto workloads. Both of these positions see far greater activity
during the configuration phase than once the system is live and stable.
However, configurations can still change and transports are still needed,
job functions can change resulting in different authorizations. All of
this depends on the scope of your installation. More applications, more
users, more configuration means more administration. I've heard of SAP
implementations which maintain two or three full-time security
administrators even after the system goes live and I've also seen
implementations where all Basis administration functions (Change managment,
security, etc) is handled by one or two people. This is something you and
your SAP consultants will need to work out; it really will vary from
installation to installation.
Hope this information is what you wanted and comes in useful. If you have
any further questions, please feel free to contact me.
Regards,
Phil Badger
SAP Basis Consultant, UNIX administrator, perl scripter and Oracle dabbler.
Email: Philip_Badger@techsol.com
pbadger@cultorfs.com
