Re: [sap-security] Questions about Temporary Roles/Assignments in SAP
Posted by
Admin at
|
Share this post:
|
|
0 Comments
 | Posted by Sonia (Sap Basis and Securiy Analyst) on Mar 6 at 10:36 AM |  Mark as helpful |
Dan,
You can set a limit on the assignment of roles to user master records. As a
result some data will become invalid on a particular day, whilst other data
becomes valid.
To ensure that only authorization profiles which are valid are contained in
the user master record each day, you must execute a daily profile
comparison.
There are two ways to execute the comparison.
1 As a background job before the start of each day. (usually in midnight)
run report PFCG_TIME_DEPENDENCY is run every night, the authorization
profiles in the user master will be current each morning (assuming that the
job has run correctly). The best procedure is to schedule this as a periodic
background job.
2. Using Transaction PFUD, user comparsion
As an Sap sec adm,its your duty to remove the invalid roles. (it comes under
daily monitoring work).
Thank you,
Sonia
On Fri, Mar 5, 2010 at 4:31 PM, rdbarahona via sap-security <
sap-security@groups.ittoolbox.com> wrote:
> Posted by rdbarahona(Business Development)
> on Mar 5 at 4:33 PM
> <warning>Newbie questions</warning>
>
> I understand that there are often requirements to assign temporary roles to
> individual users (e.g., to cover for a colleague on vacation, etc.). When
> User X is assigned Role Y for, say, a 2 week validity period, does the Role
> Y automatically get disabled/revoked from User X at the end of the 2 weeks?
> I'm almost certain the answer is yes, but have actually heard conflicting
> answers.
>
> Related, in your organizations, are there policies regarding the duration
> in which a temporary role can be assigned? E.g., do you allow temporary
> roles for up to 14 days? If so, how would you find role-assignments that are
> out of compliance?
>
> Thanks,
>
> Dan
__.____._ You can set a limit on the assignment of roles to user master records. As a
result some data will become invalid on a particular day, whilst other data
becomes valid.
To ensure that only authorization profiles which are valid are contained in
the user master record each day, you must execute a daily profile
comparison.
There are two ways to execute the comparison.
1 As a background job before the start of each day. (usually in midnight)
run report PFCG_TIME_DEPENDENCY is run every night, the authorization
profiles in the user master will be current each morning (assuming that the
job has run correctly). The best procedure is to schedule this as a periodic
background job.
2. Using Transaction PFUD, user comparsion
As an Sap sec adm,its your duty to remove the invalid roles. (it comes under
daily monitoring work).
Thank you,
Sonia
On Fri, Mar 5, 2010 at 4:31 PM, rdbarahona via sap-security <
sap-security@groups.ittoolbox.com> wrote:
> Posted by rdbarahona(Business Development)
> on Mar 5 at 4:33 PM
> <warning>Newbie questions</warning>
>
> I understand that there are often requirements to assign temporary roles to
> individual users (e.g., to cover for a colleague on vacation, etc.). When
> User X is assigned Role Y for, say, a 2 week validity period, does the Role
> Y automatically get disabled/revoked from User X at the end of the 2 weeks?
> I'm almost certain the answer is yes, but have actually heard conflicting
> answers.
>
> Related, in your organizations, are there policies regarding the duration
> in which a temporary role can be assigned? E.g., do you allow temporary
> roles for up to 14 days? If so, how would you find role-assignments that are
> out of compliance?
>
> Thanks,
>
> Dan
Copyright © 2010 Toolbox.com and message author.
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
SoniaSAP Security Enthusiast
Contributed 100 posts in a group to earn a Bronze Achievement
Related Content
In the Spotlight
White Papers
In the Spotlight
55% of IT Pros Use Social Media to Advance Their Careers. See the Survey Results
View this thread online
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
_.____.__ 
