https://community.sap.com/t5/application-development-and-automation-discussions/pfcg-authorization-updates/m-p/10239289#M1828150 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>To reorganize the work inside our SAP team, we are in discussion for who should be responsible for functions (MM,FI,CO,HR,Sales) PFCG authorization modifications.</P><P></P><P>Please; advise the best practice from SAP, who can better handle functions (MM,FI,CO,HR,Sales) PFCG authorization modifications, the BASIS</P><P>team or the function consultants?</P><P></P><P>Best Regards</P><P>Fawzy Ibrahim</P></BODY></HTML> Sun, 13 Apr 2014 18:08:10 GMT Former Member 2014-04-13T18:08:10Z https://community.sap.com/t5/application-development-and-automation-discussions/pfcg-authorization-updates/m-p/10239289#M1828150 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>To reorganize the work inside our SAP team, we are in discussion for who should be responsible for functions (MM,FI,CO,HR,Sales) PFCG authorization modifications.</P><P></P><P>Please; advise the best practice from SAP, who can better handle functions (MM,FI,CO,HR,Sales) PFCG authorization modifications, the BASIS</P><P>team or the function consultants?</P><P></P><P>Best Regards</P><P>Fawzy Ibrahim</P></BODY></HTML> Sun, 13 Apr 2014 18:08:10 GMT https://community.sap.com/t5/application-development-and-automation-discussions/pfcg-authorization-updates/m-p/10239289#M1828150 Former Member 2014-04-13T18:08:10Z https://community.sap.com/t5/application-development-and-automation-discussions/pfcg-authorization-updates/m-p/10239290#M1828151 <HTML><HEAD></HEAD><BODY><P>Hi Fawzy</P><PRE><CODE> <P>the BASIS</P> <P>team or the function consultants?</P> </CODE></PRE><P></P><P>I'd say the security team <SPAN __jive_emoticon_name="wink" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.sap.com/718/images/emoticons/wink.gif"></SPAN></P><P></P><P>Whoever you choose, ensure they are actually trained and knowledgeable of PFCG/SU24/general security. Splitting role maintenance across several teams can create inconsistent role build.</P><P></P><P>Basis might know how to click and tick boxes (or at least a step ahead of 'just assign sap_all') but they need to understand what the authorisations are for and how to appropriately restrict for functional requirements. Both may know how to build but do they understand how to interpret a misleading authorisation failure check in a trace?</P><P></P><P>Best practise is to choose someone who is competent</P><P></P><P>Regards</P><P>Colleen</P></BODY></HTML> Sun, 13 Apr 2014 21:56:26 GMT https://community.sap.com/t5/application-development-and-automation-discussions/pfcg-authorization-updates/m-p/10239290#M1828151 Colleen 2014-04-13T21:56:26Z https://community.sap.com/t5/application-development-and-automation-discussions/pfcg-authorization-updates/m-p/10239291#M1828152 <HTML><HEAD></HEAD><BODY><P>Accountable are the MM, FI, CO, HR, SALES etc. business process owners. They should initiate all role changes</P><P></P><P>Responsible for the actual changes in the system normally is the security team.</P></BODY></HTML> Mon, 14 Apr 2014 08:16:00 GMT https://community.sap.com/t5/application-development-and-automation-discussions/pfcg-authorization-updates/m-p/10239291#M1828152 Former Member 2014-04-14T08:16:00Z https://community.sap.com/t5/application-development-and-automation-discussions/pfcg-authorization-updates/m-p/10239292#M1828153 <HTML><HEAD></HEAD><BODY><P>Hi <SPAN class="j-post-author"><STRONG><A _jive_internal="true" class="jiveTT-hover-user jive-username-link" data-avatarid="-1" data-externalid="" data-presence="null" data-userid="610732" data-username="fawzy.ibrahim" href="https://answers.sap.com/people/fawzy.ibrahim">Fawzy Ibrahim</A></STRONG>&nbsp; ,</SPAN></P><P><SPAN class="j-post-author"><BR /></SPAN></P><P><SPAN class="j-post-author">Is it means that, in each module there will be different BASIS people? Like the responsible to MM users cannot change SD users authentication? If yes then, there is a good solution.</SPAN></P><P><SPAN class="j-post-author"><BR /></SPAN></P><P><SPAN class="j-post-author">You need to group the users module wise. Then assign the BASIS peoples to maintain those particular group only(Using authorization object </SPAN>S_USER_GRP<SPAN class="j-post-author">). Please have a try. If you face problem let me know</SPAN></P><P><SPAN class="j-post-author"><BR /></SPAN></P><P><SPAN class="j-post-author">Asad<BR /></SPAN></P></BODY></HTML> Wed, 16 Apr 2014 08:31:17 GMT https://community.sap.com/t5/application-development-and-automation-discussions/pfcg-authorization-updates/m-p/10239292#M1828153 Former Member 2014-04-16T08:31:17Z https://community.sap.com/t5/application-development-and-automation-discussions/pfcg-authorization-updates/m-p/10239293#M1828154 <HTML><HEAD></HEAD><BODY><P>Fawzy,</P><P></P><P>If the company you work for/contract for has to adhere to SOX compliancy, then you definitely do not want the Basis folks doing security. This is for the security team to define the authorizations, modifications, roles, etc, related to SAP Security. <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro_emoticon jive_macro jive_emote" src="https://community.sap.com/718/images/emoticons/happy.gif"></SPAN></P></BODY></HTML> Wed, 16 Apr 2014 20:06:21 GMT https://community.sap.com/t5/application-development-and-automation-discussions/pfcg-authorization-updates/m-p/10239293#M1828154 Former Member 2014-04-16T20:06:21Z