2009 Mar 10 5:31 PM
Hi All just a general question does any one know any pro's and con's about implementing transaction based security vs. authorization object based
Thanks Mike
2009 Mar 10 8:59 PM
I have to do the security and the Sap consltant that was here said we are doing it through A/O's and all I did was ran a trace for the transaction codes and got the A/o's for each transaction. and we would populate the Auth Obj's with the relevant info co codes Plants... But like whats the difference if I just put in the tcode or the A/O's it sounds like the same thing.
2009 Mar 10 5:45 PM
Can you please explain a bit more on your question?
If transaction based security in your opinion is about only controlling which transactions users can start and allowing all other values in other objects , thats about as secure as locking your front door and leaving all windows open.....
2009 Mar 10 8:59 PM
I have to do the security and the Sap consltant that was here said we are doing it through A/O's and all I did was ran a trace for the transaction codes and got the A/o's for each transaction. and we would populate the Auth Obj's with the relevant info co codes Plants... But like whats the difference if I just put in the tcode or the A/O's it sounds like the same thing.
2009 Mar 11 7:19 AM
Well, the Tcode goes into an authoruization object as well, namely S_TCODE, so it always boils down to authorization objects. When properly configured, PFCG will propose all necessary authorization objects once you put a transaction in the role menu. On a new system, have a look at SU25 and it's documentation to setup PFCG.
In my opinion putting the relevant transactions in the roles first and fine tuning the authorization values afterwards is the right way to go. Tracing may help but is no substitute for testing.
2009 Mar 11 8:49 AM
I agree with you Jurjen Heeck. SAP has moved from maintaining profiles (maintaining directly authorizations based procedure) to role based approach. Performing trace and adding each object is also a time consuming process. Hence additing transacions directly to roles and fine tuning them is the best approach.
Thanks,
Gowrinadh