Re: [sap-security] Authorization Profiles For User Administration In SAP
Posted by
Admin at
|
Share this post:
|
|
0 Comments
 | Posted by delcharro (Sr Mgr - ACE/SAP) on Mar 22 at 6:10 PM |  Mark as helpful |
Totally agree with Henrik...send me an email, I will send the security roles
I use (delcharro at gmail.com)
David
On Mon, Mar 22, 2010 at 4:47 PM, henrikmadsen2 via sap-security <
sap-security@groups.ittoolbox.com> wrote:
> Posted by henrikmadsen2(GRC Consultant )
> on Mar 22 at 5:46 PM
> Short answer:
> There are no SAP profiles that should be assigned, as Chris said.
> Build your own roles to handle this. You can use user groups to control
> where the user admins can assign roles. You can even go as far as not
> allowing them to assign SAP_* roles at all!
> No one should have SAP_ALL in production, and even in QA and DEV there
> really are no reasons why anyone should have all access.
>
> /henrik
>
> On 22 March 2010 18:53, abamrah via sap-security <
> sap-security@groups.ittoolbox.com> wrote:
>
> > Posted by abamrah
> > on Mar 22 at 3:53 AM
> > User administration starts with user management, i.e. SU01.
> > Troubleshooting
> > requires SU53, SU56. Why not build upon that? You will have to identify
> > what
> > is part of user administration in your scenario and then work round that.
>
> > You certainly don't want to give SAP_ALL. This must be saved for a very
> > limited number of people in Basis and Security team and with reasons
> > documented somewhere. You don't want to run into trouble with audit later
>
> > on.
> >
> > With best regards,
> >
> > Amrit
> >
> > On 22 March 2010 01:32, chris_van_schijndel via sap-security <
> > sap-security@groups.ittoolbox.com> wrote:
> >
> > > Posted by
> > > chris_van_schijndel (SAP Security
> > > Manager)
> > > on Mar 22 at 3:33 AM
> > > Hi Deepak,
> > >
> > > Depending on how critical and tightly regulated the environment we're
> > > talking about is and whether it's a Dev/QA/Prod system, you're probably
>
> > not
> > > going to want to use SAP standard roles. Your point about what's
> > excessive
> > > for the job function here is the key - it all depends on the processes
> > owned
> > > by your security administrators. What's excessive is basically what's
> not
> >
> > > needed and that'll change depending on your organisation and processes
> > which
> > > is why SAP standard roles are usually bad news. Ironically of course
> it's
> >
> > > these kind of questions we would expect your security administrator to
> > > answer so if you're getting someone in from outside it might be better
> to
> >
> > > wait and put this first on their To Do list :). Otherwise, your best
> bet
> > it
> > > is to dig out your SOP for role design overall in which you'll
> typically
> > see
> > > documented how requirements are gathered, roles are approved built and
> > > tested and just follow the same procedure as you would for any end-user
>
> > > business role. Work out what the administrator needs, document it, get
> it
> >
> > > approved, build it, analyse it for SOD conflicts (typically create and
> > > change users, change roles and assign roles etc.), document
> compensating
> > > controls for your conflicts, test the role...
> > >
> > > Sorry there is no magic bullet on this one from me at least. Someone
> else
> >
> > > may have one but I doubt it!
> > >
> > > Cheers
> > > Chris
> > >
> > > ---------------Original Message---------------
> > > From: deepakpandey
> > > Sent: Monday, March 22, 2010 2:13 AM
> > > Subject: Authorization Profiles For User Administration In SAP
> > >
> > > > May I know what are the SAP profiles need to be assigned to a SAP
> > > administrator to manage and trouble user authorization profiles without
>
> > > granting him/her SAP_ALL profile?
> > > > This is because SAP_ALL will be too excessive for the job function
> > > described above and there is a need to give restricted access rights.
> > > >
> > > > Regards,
> > > > Deepak
__.____._ I use (delcharro at gmail.com)
David
On Mon, Mar 22, 2010 at 4:47 PM, henrikmadsen2 via sap-security <
sap-security@groups.ittoolbox.com> wrote:
> Posted by henrikmadsen2(GRC Consultant )
> on Mar 22 at 5:46 PM
> Short answer:
> There are no SAP profiles that should be assigned, as Chris said.
> Build your own roles to handle this. You can use user groups to control
> where the user admins can assign roles. You can even go as far as not
> allowing them to assign SAP_* roles at all!
> No one should have SAP_ALL in production, and even in QA and DEV there
> really are no reasons why anyone should have all access.
>
> /henrik
>
> On 22 March 2010 18:53, abamrah via sap-security <
> sap-security@groups.ittoolbox.com> wrote:
>
> > Posted by abamrah
> > on Mar 22 at 3:53 AM
> > User administration starts with user management, i.e. SU01.
> > Troubleshooting
> > requires SU53, SU56. Why not build upon that? You will have to identify
> > what
> > is part of user administration in your scenario and then work round that.
>
> > You certainly don't want to give SAP_ALL. This must be saved for a very
> > limited number of people in Basis and Security team and with reasons
> > documented somewhere. You don't want to run into trouble with audit later
>
> > on.
> >
> > With best regards,
> >
> > Amrit
> >
> > On 22 March 2010 01:32, chris_van_schijndel via sap-security <
> > sap-security@groups.ittoolbox.com> wrote:
> >
> > > Posted by
> > > chris_van_schijndel (SAP Security
> > > Manager)
> > > on Mar 22 at 3:33 AM
> > > Hi Deepak,
> > >
> > > Depending on how critical and tightly regulated the environment we're
> > > talking about is and whether it's a Dev/QA/Prod system, you're probably
>
> > not
> > > going to want to use SAP standard roles. Your point about what's
> > excessive
> > > for the job function here is the key - it all depends on the processes
> > owned
> > > by your security administrators. What's excessive is basically what's
> not
> >
> > > needed and that'll change depending on your organisation and processes
> > which
> > > is why SAP standard roles are usually bad news. Ironically of course
> it's
> >
> > > these kind of questions we would expect your security administrator to
> > > answer so if you're getting someone in from outside it might be better
> to
> >
> > > wait and put this first on their To Do list :). Otherwise, your best
> bet
> > it
> > > is to dig out your SOP for role design overall in which you'll
> typically
> > see
> > > documented how requirements are gathered, roles are approved built and
> > > tested and just follow the same procedure as you would for any end-user
>
> > > business role. Work out what the administrator needs, document it, get
> it
> >
> > > approved, build it, analyse it for SOD conflicts (typically create and
> > > change users, change roles and assign roles etc.), document
> compensating
> > > controls for your conflicts, test the role...
> > >
> > > Sorry there is no magic bullet on this one from me at least. Someone
> else
> >
> > > may have one but I doubt it!
> > >
> > > Cheers
> > > Chris
> > >
> > > ---------------Original Message---------------
> > > From: deepakpandey
> > > Sent: Monday, March 22, 2010 2:13 AM
> > > Subject: Authorization Profiles For User Administration In SAP
> > >
> > > > May I know what are the SAP profiles need to be assigned to a SAP
> > > administrator to manage and trouble user authorization profiles without
>
> > > granting him/her SAP_ALL profile?
> > > > This is because SAP_ALL will be too excessive for the job function
> > > described above and there is a need to give restricted access rights.
> > > >
> > > > Regards,
> > > > Deepak
Copyright © 2010 Toolbox.com and message author.
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
Related Content
In the Spotlight
White Papers
In the Spotlight
55% of IT Pros Use Social Media to Advance Their Careers. See the Survey Results
View this thread online
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
_.____.__ 
