cancel
Showing results for 
Search instead for 
Did you mean: 

Locking SEM (BPS) configuration in production

Former Member
0 Kudos

Hi all,

Anyone out there know how to ensure that configuration is not open in the production system for SEM.

Its fantastic for all those last minute go live issues, but its risky as all hell when developement and quality no longer look anything like production.

Thanks,

Rael

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi Rael,

Use the following steps:

Create a Planning Folder Nimm said

Then create a Variant for program 'UPB_PM_START'

Then create a customer transaction se93

The remove BPS0 from the User profiles...

K

Answers (7)

Answers (7)

Former Member
0 Kudos

Hi Rael,

If you need the config access in production only to set variables then you do not need to have access to BPS0. I have written a custom ABAP program which sets all variables without having access to BPS0. On my current project we did not give BPS0 access to BPS Admin user at all and this user sets the variables using this custom program that I wrote.

Thanks,

Bhavesh Shah

former_member93896
Active Contributor
0 Kudos

Hello,

you can also implement the how-to paper:

<a href="http://service.sap.com/~form/sapnet?_SHORTKEY=01100035870000668367&">How-to Guides > Variable Upload</a>.

Regards

Marc

SAP NetWeaver RIG

Former Member
0 Kudos

Thanks Thomas and Koffi,

Good suggestions.

Rael

Former Member
0 Kudos

Yes, I think you are right Nimmi, taking away access is the way to go.

I would probably grant access to BPS0 and planning areas (so as to make changes to variables etc), but take away access to levels, layouts and functions).

And hooraayy, now that I think about, I would create a few open levels, layouts etc (i.e. available for changing via authorisations) for each planning area to be used for all those ad hoc fixes that we SEM heads can't avoid making in the live system....

This way the bulk of the config is untouchable, but the exception levels and layouts etc can be used where necessary.

Thanks to you all,

Rael

Former Member
0 Kudos

Hi Rael,

The planning adminstrator / super users need access to change the variables in production so we had to give access to BPS0 on selective basis before.

It has been a couple of years but I know I worked with the Basis guy on a previous project for a bit and we were able to give access to BPS0 and the planning areas but lock Planning level and anything below that.

On my recent project the authorization guy is not as seasoned and this got passed to someone else since I had my hands full with the BPS planning and the QA. They had trouble locking down the levels and I did not have time to troubleshoot it and even though I know the basics of authorization, I am not an expert in the subject.

Would appreciate some feedback on how to leave open the planning area and lock the planning levels...

Thanks,

Mary

Former Member
0 Kudos

Hi Mary,

Ask your basis team to maintain the SEM role by including all the SEM authorisation objects you wish to limit access on. For e.g. using "R_AREA" and "R_PLEVEL" you can allow access to a specific/multiple areas and levels....

So using this concept you can have an instance (or a role) where the planning area is included but the levels are excluded. Then assign the role to relevant users.

Have a look at the online help:

http://help.sap.com/saphelp_sem40bw/helpdata/en/0a/242537cedf2056e10000009b38f936/frameset.htm

Regards,

Rael

Former Member
0 Kudos

Rael,

But how about the planning administrator that needs to be able to check the variables in the planning area? If they have change access in the planning area, the planning level inherits the access and they can potentially change the planning level.

I thought the basis group on one of my projects 2 years ago resolved that issue but cannot recall the details.

Mary

Former Member
0 Kudos

Hi Mary,

Unfortunately this thread started from a theoritical (rather than practical requirement) point of view. So I have not tried any of this on a system.

....but, have a look at the authorisation help documentation at

http://help.sap.com/saphelp_sem60/helpdata/en/0a/242537cedf2056e10000009b38f936/frameset.htm

...there is a table indicating the possibilities considering the inheritance property. It seems to me (without having done the config) that if you only enter authorisation against the area, then inheritance allows access to everything below, but if you specify area and level and any lower objects, then you can specifically allow access to areas and limit access to levels etc

So, you need to do the extra config and include all objects you want to limit access on, but grant access on the highest (area) object only.

Maybe someone out there has actually done the config and can verify for us the path to follow.....?

Regards,

Rael

former_member93896
Active Contributor
0 Kudos

Hi Rael,

this is correct. If you are allowed to change the planning area, you are also allowed to change all levels, packages, etc that belong to the area.

This makes sense since all those sub-objects depend on the area configuration.

Regards

Marc

SAP NetWeaver RIG

Former Member
0 Kudos

Hi Thomas,

Nice to see you are still surviving in the dog-eat-dog world of SEM.

Yes, I thought about that too.

But it still does not stop someone like myself from being able to make the changes.

My client have been remiss with keeping up transport path protocol, so the obvious question came up as to how we can ensure the same does not happen again. Locking config in production is the only absolute answer, but I have never heard of anyone doing it.

Regards to you,

Rael

Former Member
0 Kudos

Hi Rael,

If you don't have access to tcode BPS0 in production, then you can't execute it. Use planning folders or web interface to enter and process the data.

Hope this helps.

-NS

0 Kudos

Rael,

suppose you know it already...

On most Frontends it is possible to set different colours to different systems.

I always use RED as a background colour for productive systems to be always aware about the risk in changing something in BPS...

) to you

Thomas

Former Member
0 Kudos

Thanks for your suggestions, but I am still wondering if it is not somehow possible to stop any config taking place in production?

Rael

Former Member
0 Kudos

Hi Real,

In sem, unfortunately, when modification an object, is not created the change request. This is the problem that represents a limit for sem.

Former Member
0 Kudos

hello Real,

I believe that the only way is to limit the authorizations to the users in the productions system.

Unfortunately sem is a system opened in all systems.

regards

Davide

Former Member
0 Kudos

Thanks Davide,

But the problem is that it we, the "authorised", who are the primary offenders....

Regards,

Rael

Former Member
0 Kudos

Hi Rael,

Would suggest restrict the access to the configuration transaction and only provide access through Planning folders for accessing the layouts.

0 Kudos

Hi Rael,

nice to "see" you again

To avoid unintended settings it may help to choose the execution mode in the framework (in BPS0: Utilities ==> Settings ==> Framework mode)

Greetings from Hamburg

Thomas