Re: [sap-security] Authorization Profiles For User Administration In SAP
Posted by
Admin at
|
Share this post:
|
|
0 Comments
 | Posted by henrikmadsen2 (GRC Consultant ) on Mar 22 at 5:46 PM |  Mark as helpful |
Short answer:
There are no SAP profiles that should be assigned, as Chris said.
Build your own roles to handle this. You can use user groups to control
where the user admins can assign roles. You can even go as far as not
allowing them to assign SAP_* roles at all!
No one should have SAP_ALL in production, and even in QA and DEV there
really are no reasons why anyone should have all access.
/henrik
On 22 March 2010 18:53, abamrah via sap-security <
sap-security@groups.ittoolbox.com> wrote:
> Posted by abamrah
> on Mar 22 at 3:53 AM
> User administration starts with user management, i.e. SU01.
> Troubleshooting
> requires SU53, SU56. Why not build upon that? You will have to identify
> what
> is part of user administration in your scenario and then work round that.
> You certainly don't want to give SAP_ALL. This must be saved for a very
> limited number of people in Basis and Security team and with reasons
> documented somewhere. You don't want to run into trouble with audit later
> on.
>
> With best regards,
>
> Amrit
>
> On 22 March 2010 01:32, chris_van_schijndel via sap-security <
> sap-security@groups.ittoolbox.com> wrote:
>
> > Posted by
> > chris_van_schijndel (SAP Security
> > Manager)
> > on Mar 22 at 3:33 AM
> > Hi Deepak,
> >
> > Depending on how critical and tightly regulated the environment we're
> > talking about is and whether it's a Dev/QA/Prod system, you're probably
> not
> > going to want to use SAP standard roles. Your point about what's
> excessive
> > for the job function here is the key - it all depends on the processes
> owned
> > by your security administrators. What's excessive is basically what's not
>
> > needed and that'll change depending on your organisation and processes
> which
> > is why SAP standard roles are usually bad news. Ironically of course it's
>
> > these kind of questions we would expect your security administrator to
> > answer so if you're getting someone in from outside it might be better to
>
> > wait and put this first on their To Do list :). Otherwise, your best bet
> it
> > is to dig out your SOP for role design overall in which you'll typically
> see
> > documented how requirements are gathered, roles are approved built and
> > tested and just follow the same procedure as you would for any end-user
> > business role. Work out what the administrator needs, document it, get it
>
> > approved, build it, analyse it for SOD conflicts (typically create and
> > change users, change roles and assign roles etc.), document compensating
> > controls for your conflicts, test the role...
> >
> > Sorry there is no magic bullet on this one from me at least. Someone else
>
> > may have one but I doubt it!
> >
> > Cheers
> > Chris
> >
> > ---------------Original Message---------------
> > From: deepakpandey
> > Sent: Monday, March 22, 2010 2:13 AM
> > Subject: Authorization Profiles For User Administration In SAP
> >
> > > May I know what are the SAP profiles need to be assigned to a SAP
> > administrator to manage and trouble user authorization profiles without
> > granting him/her SAP_ALL profile?
> > > This is because SAP_ALL will be too excessive for the job function
> > described above and there is a need to give restricted access rights.
> > >
> > > Regards,
> > > Deepak
__.____._ There are no SAP profiles that should be assigned, as Chris said.
Build your own roles to handle this. You can use user groups to control
where the user admins can assign roles. You can even go as far as not
allowing them to assign SAP_* roles at all!
No one should have SAP_ALL in production, and even in QA and DEV there
really are no reasons why anyone should have all access.
/henrik
On 22 March 2010 18:53, abamrah via sap-security <
sap-security@groups.ittoolbox.com> wrote:
> Posted by abamrah
> on Mar 22 at 3:53 AM
> User administration starts with user management, i.e. SU01.
> Troubleshooting
> requires SU53, SU56. Why not build upon that? You will have to identify
> what
> is part of user administration in your scenario and then work round that.
> You certainly don't want to give SAP_ALL. This must be saved for a very
> limited number of people in Basis and Security team and with reasons
> documented somewhere. You don't want to run into trouble with audit later
> on.
>
> With best regards,
>
> Amrit
>
> On 22 March 2010 01:32, chris_van_schijndel via sap-security <
> sap-security@groups.ittoolbox.com> wrote:
>
> > Posted by
> > chris_van_schijndel (SAP Security
> > Manager)
> > on Mar 22 at 3:33 AM
> > Hi Deepak,
> >
> > Depending on how critical and tightly regulated the environment we're
> > talking about is and whether it's a Dev/QA/Prod system, you're probably
> not
> > going to want to use SAP standard roles. Your point about what's
> excessive
> > for the job function here is the key - it all depends on the processes
> owned
> > by your security administrators. What's excessive is basically what's not
>
> > needed and that'll change depending on your organisation and processes
> which
> > is why SAP standard roles are usually bad news. Ironically of course it's
>
> > these kind of questions we would expect your security administrator to
> > answer so if you're getting someone in from outside it might be better to
>
> > wait and put this first on their To Do list :). Otherwise, your best bet
> it
> > is to dig out your SOP for role design overall in which you'll typically
> see
> > documented how requirements are gathered, roles are approved built and
> > tested and just follow the same procedure as you would for any end-user
> > business role. Work out what the administrator needs, document it, get it
>
> > approved, build it, analyse it for SOD conflicts (typically create and
> > change users, change roles and assign roles etc.), document compensating
> > controls for your conflicts, test the role...
> >
> > Sorry there is no magic bullet on this one from me at least. Someone else
>
> > may have one but I doubt it!
> >
> > Cheers
> > Chris
> >
> > ---------------Original Message---------------
> > From: deepakpandey
> > Sent: Monday, March 22, 2010 2:13 AM
> > Subject: Authorization Profiles For User Administration In SAP
> >
> > > May I know what are the SAP profiles need to be assigned to a SAP
> > administrator to manage and trouble user authorization profiles without
> > granting him/her SAP_ALL profile?
> > > This is because SAP_ALL will be too excessive for the job function
> > described above and there is a need to give restricted access rights.
> > >
> > > Regards,
> > > Deepak
Copyright © 2010 Toolbox.com and message author.
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
henrikmadsen2SAP Security Helper
Posted helpful replies on 5 threads in a group to earn a Bronze Achievement
Related Content
In the Spotlight
White Papers
In the Spotlight
Earn Recognition for Your Contributions at Toolbox for IT. Gain Points for Community Achievements
View this thread online
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
_.____.__ 
