Community
Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

PFCG Authorization Updates

Former Member

‎2014 Apr 13 7:08 PM

0 Likes
756

Hi,

To reorganize the work inside our SAP team, we are in discussion for who should be responsible for functions (MM,FI,CO,HR,Sales) PFCG authorization modifications.

Please; advise the best practice from SAP, who can better handle functions (MM,FI,CO,HR,Sales) PFCG authorization modifications, the BASIS

team or the function consultants?

Best Regards

Fawzy Ibrahim

4 REPLIES 4
Read only

Colleen
Product and Topic Expert
Product and Topic Expert

‎2014 Apr 13 10:56 PM

0 Likes
711

Hi Fawzy



the BASIS


team or the function consultants?

I'd say the security team

Whoever you choose, ensure they are actually trained and knowledgeable of PFCG/SU24/general security. Splitting role maintenance across several teams can create inconsistent role build.

Basis might know how to click and tick boxes (or at least a step ahead of 'just assign sap_all') but they need to understand what the authorisations are for and how to appropriately restrict for functional requirements. Both may know how to build but do they understand how to interpret a misleading authorisation failure check in a trace?

Best practise is to choose someone who is competent

Regards

Colleen

Read only

Former Member

‎2014 Apr 14 9:16 AM

0 Likes
711

Accountable are the MM, FI, CO, HR, SALES etc. business process owners. They should initiate all role changes

Responsible for the actual changes in the system normally is the security team.

Read only

Former Member

‎2014 Apr 16 9:31 AM

0 Likes
711

Hi Fawzy Ibrahim  ,


Is it means that, in each module there will be different BASIS people? Like the responsible to MM users cannot change SD users authentication? If yes then, there is a good solution.


You need to group the users module wise. Then assign the BASIS peoples to maintain those particular group only(Using authorization object S_USER_GRP). Please have a try. If you face problem let me know


Asad

Read only

Former Member
In response to Former Member

‎2014 Apr 16 9:06 PM

0 Likes
711

Fawzy,

If the company you work for/contract for has to adhere to SOX compliancy, then you definitely do not want the Basis folks doing security. This is for the security team to define the authorizations, modifications, roles, etc, related to SAP Security.