2007 Jul 18 10:17 PM
Dear Experts,
We are a small SAP shop, so our BASIS person is responsible for various Admin functions in the system.
I need to create a role for BASIS Admin. I tried to use SAP_ALL to start with, then to inactivate parts of it. It works from the security point of view (although it is a lot of work), but it does not give me a list of transactions and therefore makes it difficult to maintain going forward.
I searched multiple old threads, but was unable to obtain a clear answer.
Will it be considered acceptable (<i>i.e. a good practice</i>) to just gather list of transactions which, in my opinion, (possibly by combining transactions from SAP supplied standard roles) BASIS Admin needs and then add/remove additional ones as need arise?
Please, advise.
Thanks in advance
Galina
2007 Jul 19 1:41 PM
Hi
Check it http://www.sap-img.com/basis/useful-sap-system-administration-transactions.htm
Rewards point if helpful
Thanks
Pankaj Kumar
2007 Jul 18 10:53 PM
Hi Galina:
The restrict of your BASIS role depends of the Security Policy of your Company. Some companies allow BASIS team to work with SAP_ALL and others restrict BASIS work with specific permissions.
I can give you some options:
- You can copy the SAP_ALL profile, using SU02 and make your own Z profile that have all authorizations.
- In our case, we make a list of transactions for BASIS and make a role, using PFCG. You can make your own list, I recommend you these pages:
http://www.erpgenie.com/basis/basistransactions.htm
http://www.sap-img.com/basis/useful-sap-system-administration-transactions.htm
There are differente points of view about these. But SAP recommends to restrict the use of SAP_ALL as much as you can (including Basis and Security team), specially in Production system.
Personally, we prefere the second option, because you can see what you want and it won't affect you in future audits.
Hope these can help you. Have a good day
2007 Jul 19 3:55 PM
Hello, Abraham
We cannot use SAP_ALL and SAP_NEW. We used it until now, but our auditors object. If I understand you correctly, you used the option to create the list of transactions. But what about SAP_NEW? How to incorporate authorizations from SAP_NEW? Or, this is unnecessary when we create role based on list of transactions?
Please, advice
Galina
2007 Jul 19 1:41 PM
Hi
Check it http://www.sap-img.com/basis/useful-sap-system-administration-transactions.htm
Rewards point if helpful
Thanks
Pankaj Kumar
2007 Jul 19 3:57 PM
Pankaj,
It is certainly helpful. Do you have a similar list or suggestions for ABAP Developer and for Functional Configurator roles? I have to create these as well.
Thanks
Galina