2011 Jul 17 10:33 AM
Hello,
My question is wrt to implementation of "principle of treble control" i.e three SAP administrators i.e.
1. Authorization data administrator
2. Authorization profile administrator
3. User Administrator
I have created a role & added a transaction to it e.g. "FAGLL03" or "FF67".
No authorization data is displayed in the authorization tab unless I enter authorization tab with change button and provide inputs for org level field & generate profile. Even when I save the profile with the proposed name, it status still says "No authorization data exists". Since no authorization data is available, administrator 2 is unable to generate profile. If administrator 1 has to generate profile then why is administrator 2 required.
Definition of Administrator 1 is:
The authorization data administrator creates the roles, selects transactions and
maintains the authorization data. He or she simply saves the data in the Profile
Generator since he does not have the necessary authorization for generating the
profile. He or she accepts the proposed profile name T-.... The authorization data
administrator may not change users, nor generate profiles.
Definition of Administrator 2 is:
The authorization profile administrator starts transaction SUPC and chooses All
Roles. He or she then restricts his selection, for example by entering the ID of the
role to be edited. On the next screen, he or she chooses Display Profile to check
the data. If all the data is correct, he or she generates the authorization profile. The
authorization profile administrator may not change users, change the data for roles,
nor generate profiles containing authorization objects beginning with S_USER*.
Thanks.
2011 Jul 17 10:51 AM
If administrator 1 has to generate profile then why is administrator 2 required.
I think that is the question you need to get answered. What risk is there if you combine the two functions? I do not see why one would try to separate the creation of the roles and the generation of the profile.
Can you tell us why it has been designed in this way?
Jurjen
2011 Jul 17 1:49 PM
Actually I started off my question with the "implementation of treble control" that SAP course AD940 suggests.
Depending upon the volume of work my SAP implementation has, the approarch to me looks practical.
Secondly, SAP profile is also available for these adminstrators but it is not working the way it is supposed to.
2011 Jul 17 2:06 PM
Actually I started off my question with the "implementation of treble control" that SAP course AD940 suggests.
I had never heard of this treble control and the added value of splitting rolebuilding and profile generation doesn't make much sense to me but that's my personal opinion.
On the technical side of things: in your first post you state "No authorization data is displayed in the authorization tab unless I enter authorization tab with change button and provide inputs for org level field & generate profile."
It is also possible to change the data and save this but not generate the profile yet. I just tried this by doing the following:
Create role
Add transactions to menu
Edit profile, org levels & authroization data.
Hit 'save'.
Accept proposed profile name.
Go back to PFCG main screen and ignore message of profile not being generated. (Click 'continue')
And this leaves me with a role with yellow traffic light on the authorization tab an the profile status is: "Current version not generated"
So it should be possible to maintain roles and profiles separately.
2011 Jul 17 9:27 PM
Actually I started off my question with the "implementation of treble control" that SAP course AD940 suggests.
The standard role SAP_BC_ENDUSER mentioned in that course is typically enough to perform all three tasks anyway...
Anyway, with modern workflows and provisioning this double and triple concept decreasingly relevant.
A better option would be to implement a QA step in the transporting of the roles and profiles. That will still be with us for some time to come IMHO. You can also integrate other checks into the CTS.
Cheers,
Julius