RE:[sap-security] Security flags from Early Watch Report
Posted by
Admin at
|
Share this post:
|
|
0 Comments
 | Posted by griscom on May 11 at 2:41 PM |  Mark as helpful |
Keith.....inspiration...I like that one ! Ha Ha !!!
Regards,
Eric Griscom
IBM Global Business Services
From:
"rkraanen via sap-security" <sap-security@groups.ittoolbox.com>
To:
Eric Griscom/Richmond/IBM@IBMUS
Date:
05/11/2010 02:13 PM
Subject:
RE:[sap-security] Security flags from Early Watch Report
Posted by rkraanen (Security Analyst)
on May 11 at 1:59 PM
Mark as helpful
Hi Keith,
There is no use in deleting standard SAP roles because they will be there
again after the next upgrade. SAP designed these roles for "out of the
box" SAP use. Your company probably applied (many) changes. If you want to
use a SAP role, then make a copy of it. This is needed because SAP
sometimes adds functionality to a role and add them to in upgrade. If you
have assigned the default SAP roles those get overwritten and there might
be new authorisations in them which you don't want your users to have.
After you made a copy you need to look into the role to check if the
authorisations are right. In many cases the default SAP roles give either
to much access (e.g. a "*" in S_TCODE) or not enough. I find it best to
start role building from scratch and let the functional team think about
what transaction should be in a role. They can use the SAP roles for
"inspiration".
---------------Original Message---------------
From: khatcher
Sent: Tuesday, May 11, 2010 12:27 PM
Subject: Security flags from Early Watch Report
> I am the security administrator for our company and we just went live.
(Hooray). I just received a report displaying all types of critical
security issues. When I look at the roles with these issues, I notice that
they are SAP delivered roles.
> My question is should these roles be deleted or is there another
strategy to resolving these secuirty authorization/object issues?
__.____._ Regards,
Eric Griscom
IBM Global Business Services
From:
"rkraanen via sap-security" <sap-security@groups.ittoolbox.com>
To:
Eric Griscom/Richmond/IBM@IBMUS
Date:
05/11/2010 02:13 PM
Subject:
RE:[sap-security] Security flags from Early Watch Report
Posted by rkraanen (Security Analyst)
on May 11 at 1:59 PM
Mark as helpful
Hi Keith,
There is no use in deleting standard SAP roles because they will be there
again after the next upgrade. SAP designed these roles for "out of the
box" SAP use. Your company probably applied (many) changes. If you want to
use a SAP role, then make a copy of it. This is needed because SAP
sometimes adds functionality to a role and add them to in upgrade. If you
have assigned the default SAP roles those get overwritten and there might
be new authorisations in them which you don't want your users to have.
After you made a copy you need to look into the role to check if the
authorisations are right. In many cases the default SAP roles give either
to much access (e.g. a "*" in S_TCODE) or not enough. I find it best to
start role building from scratch and let the functional team think about
what transaction should be in a role. They can use the SAP roles for
"inspiration".
---------------Original Message---------------
From: khatcher
Sent: Tuesday, May 11, 2010 12:27 PM
Subject: Security flags from Early Watch Report
> I am the security administrator for our company and we just went live.
(Hooray). I just received a report displaying all types of critical
security issues. When I look at the roles with these issues, I notice that
they are SAP delivered roles.
> My question is should these roles be deleted or is there another
strategy to resolving these secuirty authorization/object issues?
Copyright © 2010 Toolbox.com and message author.
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
Related Content
In the Spotlight
White Papers
In the Spotlight
Toolbox.com for iPhone: Ask Questions & Get Answers Anywhere. Use the New iPhone App
View this thread online
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
