topic Re: Authorization Object Clarification in Application Development and Automation Discussions

Authorization Object Clarification

Former Member — Thu, 06 Aug 2009 13:34:34 GMT

Hi guys,

I have two questions regarding Authorization objects, my first question is, why we canu2019t execute any transaction if we have access to all the authorization objects that has linked to those t-codes for example:

(SA38 or SE38) bringing S_Develop, S_DATASET, and S_PROGRAM if I assign all these authorization objects into the role manually I still don't have access to sa38 or se38. So how come we always say everything is control by authorization object. We always need T-codes in the role either by menu or manually. Is that true?

My second question:

We always say don't assign S_Develop in Production, but we need to assign one general role which should have SU53 and by SAP standard SU53 bringing S_Develop authorization object which is very dangers for Production. How come SAP standard conflicting rule not to assign S_Develop in Production?

Please kindly give your feedback and thoughts

Thanks

Faisal

Edited by: Faisal on Aug 6, 2009 3:39 PM

Re: Authorization Object Clarification

jurjen_heeck — Thu, 06 Aug 2009 13:42:48 GMT

> (SA38 or SE38) bringing S_Develop, S_DATASET, and S_PROGRAM if I assign all these authorization objects into the role manually I still don't have access to sa38 or se38. So how come we always say everything is control by authorization object. We always need T-codes in the role either by menu or manually. Is that true?

Yes, the S_TCODE check is the first line of defense. This check is done for every transaction start and cannot be switched off.

> We always say don't assign S_Develop in Production, but we need to assign one general role which should have SU53 and by SAP standard SU53 bringing S_Develop authorization object which is very dangers for Production. How come SAP standard conflicting rule not to assign S_Develop in Production?

SU53 does not need S_DEVELOP for its normal use.

Re: Authorization Object Clarification

Former Member — Thu, 06 Aug 2009 14:11:16 GMT

Thanks for youu2019re replied

So we can assign S_Develop in the role without SA38 or SE38 no one can execute the transactions because we don't assign the t-codes but they will have S_Develop, is it harmful in Production? What about S_Develop through SU53 should we deactivate the S_Develop or let it go to Production because it is coming thr SU53?

Thanks

Faisal

Re: Authorization Object Clarification

sdipanjan — Thu, 06 Aug 2009 14:15:55 GMT

Adding few points with Jurjen:

> I have two questions regarding Authorization objects, my first question is, why we canu2019t execute any transaction if we have access to all the authorization objects that has linked to those t-codes for example:

The series of Checks while you are trying to execute some TCode/Report is like below:

1. Check whether the TCode is existing in the system (TSTC, TSTCT, TSTCA, TSTCP etc.) tables. If this check fails, you will get an error message and system will not go for further checks i.e. Authorization checks against the available authorization instances in User's Buffer content.

2. The first level of Authorization check for any TCode is done against the Object S_TCode.

3. After passing through the point 2, the authorization checks for other Objects take place with an AND operator.

> My second question:

> Please kindly give your feedback and thoughts

SU53 doesn't require S_DEVELOP for any user action. Please go through the documentation of S_DEVELOP and available notes to understand the necessity of these critical objects.

Regards,

Dipanjan

Re: Authorization Object Clarification

sdipanjan — Thu, 06 Aug 2009 14:24:43 GMT

In which release you are working currently?

Do Not assign any Object Manually in Authorization Data.... Add the Tcode (SU53) in the role menu and let Profile generator decide and pull the relevant Authorization Objects. You will not see S_DEVELOP in this case. Check the proposal for your information.

Regards,

Dipanjan

Re: Authorization Object Clarification

Former Member — Thu, 06 Aug 2009 14:49:10 GMT

I checked it su24 you will get S_Develop when you assign SU53, that's why I was asking this question

Best Regards,

Faisal

Re: Authorization Object Clarification

Former Member — Thu, 06 Aug 2009 14:52:15 GMT

What version are you on?

S_DEVELOP is not in Check Maintain or Proposal = Y status in any of the systems I have access to

Re: Authorization Object Clarification

Former Member — Thu, 06 Aug 2009 14:59:37 GMT

ECC 6.0 it is check/maintain for su53 for sure. It is a new system it hasn't been changed because we are in Relization phase no one touched it yet, I'm the only security person here.

Thanks

Edited by: Faisal on Aug 6, 2009 5:00 PM

Re: Authorization Object Clarification

Former Member — Thu, 06 Aug 2009 15:08:37 GMT

Sounds like someone changed your SU24 settings to include S_DEVELOP in a role for all users on the strength of SU53 being in the menu.

Not a good idea...

SU53 itself is a nice example of the difference between the S_TCODE authority to start something and the authorization objects in the code to actually use it.

You can turn the transaction check at tcode start off for SU53, but depending on the authorizations of the user for the S_USER_AUT object they might only be able to see what failed, or additionally also see what they do have authority for.

S_DEVELOP is the same. There are many ways (not only limited to transactions) via which you can enter the ABAP Workbench Navigation - but once in there the "real checks" take place. The best known examples are via the menu: System --> Status --> Navigate, and the F1 --> Technical Information --> Navigate routes. (in higher releases there is also an SE80 check).

If you want the user to have consistent authorizations in the system and not be subject to silly little mistakes in the menu, S_TCODE and other objects and roles they might have, then rather give them the correct authorization to use the transaction and only in exceptional cases turn the object level checks off in SU24.

My 2 cents,

Julius

Re: Authorization Object Clarification

Former Member — Thu, 06 Aug 2009 15:10:14 GMT

Very curious, I wonder why it is setup like that?

Re: Authorization Object Clarification

Former Member — Thu, 06 Aug 2009 15:22:08 GMT

Beleive me no one changed it, it is standard unless there is some issue with patches when it installed. What about your system is it check.maintain or not.

Should I talk to my basis team about that. I can change the su24 setting but I checked my sandbox and all the other client in sandbox and Dev all are check/maintain.

What you say?

Thanks

Faisal

Re: Authorization Object Clarification

Former Member — Thu, 06 Aug 2009 15:29:40 GMT

First check in SU22 whether some nilly added it there, and then transfered to SU24 later.

It should show up as "original" data in SU22, where the author is not 'SAP'.

Unfortunately in some releases the SU22 data was also delivered with the ID and not the 'SAP' anonymization which can be confusing, but that should not be the case here.

Cheers,

Julius

Re: Authorization Object Clarification

Former Member — Thu, 06 Aug 2009 15:32:06 GMT

In the version of ECC6 I have access to at the moment, S_DEVELOP is set to Check with proposal = No, so will not be pulled through in to a role. There are no change logs for this during the time installed.

Re: Authorization Object Clarification

sdipanjan — Thu, 06 Aug 2009 15:32:54 GMT

Did you check the SAP Proposal also? The check indicator you are viewing there is the Customer Table proposal.

If you check in the Application tool bar, there is a Button called "SAP Data". Please click on that button to see the SAP proposal (entries of table USOBT and USOBX) and let us know what you are getting for S_DEVELOP as SAP Data.

Regards,

Dipanjan

Re: Authorization Object Clarification

Former Member — Thu, 06 Aug 2009 15:46:33 GMT

It says SAP propsl = YS and also proposal is = YS. What you guys say?

Is it installation or patches? My sandbox and Dev in all clients are same. one more thing I checked my IDES system that is the only system doesn't have YS, it has NO in the proposal. SO IDES system is correct or whatever?

But in IDES system for the SAP propsl still = YS

Best Regards,

Faisal

Edited by: Faisal on Aug 6, 2009 5:47 PM

Edited by: Faisal on Aug 6, 2009 5:50 PM

Re: Authorization Object Clarification

Former Member — Thu, 06 Aug 2009 15:51:52 GMT

> What you guys say?

Someone hacked your SU22 data...

Re: Authorization Object Clarification

Former Member — Thu, 06 Aug 2009 18:25:39 GMT

I modified su24 I changed propossal = No for the S_Develop but SAP propsl I didn't touch it its still = YS. but after I changed it it is still brigning the Object into the Role. Can you please tell me what's wrong

do I have to change SAP Propsl also

Please Advice

Thanks

Faisal

Re: Authorization Object Clarification

Former Member — Thu, 06 Aug 2009 18:32:45 GMT

Has step 1 of SU25 been run before in these systems?

After changing SU24, you need to do a "Read old status and merge with new data" in expert mode for the authorizations of the menu objects to be adjusted.

But it would be wise to first check how the roles have been built and how intact the authorization data is to start with, as you could be in for a surprise... particularly if standard authorizations have been deleted in the past and the merge has not been used! Why standard authorizations can be deleted at all I actually don't know...

Cheers,

Julius

Re: Authorization Object Clarification

Former Member — Thu, 06 Aug 2009 18:52:03 GMT

Please advice me !

These are brand new systems, Sandbox and Dev never upgradet from SU25. As I mentioned in my pervious post its pretty vaired that SU53 pulling S_Develop, S_USER_AGR, S_USER_AUT, and S_USER_GRP. I had to fix these su24 standard propossal they are all SAP Proposal.

Now I changed all the proposals for the above Authorization objects to "NO" but I didn't touch the SAP proposal which was the last column. and then I went to one of the role which has su53 and went through EDIT mode I still see S_Develop pulling, I don't unserstand why.

Please advice

Thanks a lot

Faisal

Re: Authorization Object Clarification

sdipanjan — Thu, 06 Aug 2009 18:52:49 GMT

> I modified su24 I changed propossal = No for the S_Develop but SAP propsl I didn't touch it its still = YS. but after I changed it it is still brigning the Object into the Role. Can you please tell me what's wrong

Please check the status of the Object showing in the Profile Generator. If it is manually (I presume this is the reason of not getting the effect of check proposal you modified) and if maximum objects are manually added then I would suggest to delete that role and then create a new role. Add the TCodes in Menu tab and then maintain their authorizations in Authorization tab to generate the profile at last.

> do I have to change SAP Propsl also

No. never.

Regards,

Dipanjan