Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Transaction based security vs. Authorization based security

Former Member
0 Kudos
164

Hi All just a general question does any one know any pro's and con's about implementing transaction based security vs. authorization object based

Thanks Mike

1 ACCEPTED SOLUTION

Former Member
0 Kudos
95

I have to do the security and the Sap consltant that was here said we are doing it through A/O's and all I did was ran a trace for the transaction codes and got the A/o's for each transaction. and we would populate the Auth Obj's with the relevant info co codes Plants... But like whats the difference if I just put in the tcode or the A/O's it sounds like the same thing.

4 REPLIES 4

jurjen_heeck
Active Contributor
0 Kudos
95

Can you please explain a bit more on your question?

If transaction based security in your opinion is about only controlling which transactions users can start and allowing all other values in other objects , thats about as secure as locking your front door and leaving all windows open.....

Former Member
0 Kudos
96

I have to do the security and the Sap consltant that was here said we are doing it through A/O's and all I did was ran a trace for the transaction codes and got the A/o's for each transaction. and we would populate the Auth Obj's with the relevant info co codes Plants... But like whats the difference if I just put in the tcode or the A/O's it sounds like the same thing.

0 Kudos
95

Well, the Tcode goes into an authoruization object as well, namely S_TCODE, so it always boils down to authorization objects. When properly configured, PFCG will propose all necessary authorization objects once you put a transaction in the role menu. On a new system, have a look at SU25 and it's documentation to setup PFCG.

In my opinion putting the relevant transactions in the roles first and fine tuning the authorization values afterwards is the right way to go. Tracing may help but is no substitute for testing.

0 Kudos
95

I agree with you Jurjen Heeck. SAP has moved from maintaining profiles (maintaining directly authorizations based procedure) to role based approach. Performing trace and adding each object is also a time consuming process. Hence additing transacions directly to roles and fine tuning them is the best approach.

Thanks,

Gowrinadh