Question: Is there company policy that Basis Administrator can get SAP_ALL?
Answer:
I recommend that Basis admins do NOT get SAP_ALL in a stable Production environment.
A user with SAP_ALL is kept safe (there are various ways of doing this) and used in an emergency situation with appropriate signoff.
Answer:
There is only one ID that needs SAP_ALL and that is SAP* (Not even DDIC), other than that after version 3.0 there is never a reason for anyone to have SAP_ALL. Every activity in SAP can be contrlled with appropriate security.
IF a user insists on having SAP_ALL it is a good sign they should NOT be on the system and not allowed to be on SAP as they do not know enough about the system to perform their duties without SAP_ALL and do not respect the concept of Security and Controls and Segegation of Duties.
A Sarbanes-Oxley investigation in the US does not care that SAP_ALL was given to make "life easy", everyone if going to jail.
Answer:
You have to have at least one user ID that is not DDIC or SAP* that has authorization to do everything connected with support package application. Because you aren't supposed to apply support packages using those two special IDs.
Also, if I am going to get called at 2am to fix a problem, I had better not have to call someone else to get security to do something. So, I always have SAP_ALL and SAP_NEW in all SAP instances. If I didn't have it, I could give it to myseld anyway so what is the point of locking me out? It is better that changes are attached to my ID instead of some generic user ID with SAP_ALL that many people may use when necessary in the course of system work.
Answer:
I used to work in system audit for PwC and did audits of some of the largest companies in the world. Having said that I can tell you that no 2 organizations will agree. Some use fircall id's and have no users with SAP_ALL in PRD. Other companies let the Basis team only have it.
At the end of the day, the Basis person will tell you they need it and ultimately they do need a scaled down version of it. But I know when I worked at NIke, we have 10 Basis admins and not one of them had SAP_ALL in PRD and we did 24/7 support of course.
Sage
Answer:
Hard to say this.
I am in the midst of the problem.
When i joined the company, some users were given SAP_ALL.
To take these out, they hate me for this.
To protect my 'rice bowl', i have nothing to say, but to block certain crucial transactions.
Regards
Answer:
They may hate you for it but there is NO reason for anyone to be able to create a vendor, Input and Invoice, Execute the payment program and walk off with the company's money.
THe Basis role should have full access to "get the system running" but they have no business in the Applications.
Remember, It all pays the same and the there is a certain cost to doing business, and if that entails calling some one to get you the access then so be it.
Answer:
I agree with you, John. SAP_ALL shouldn't be given to anybody. Once system is installed, Basis gives system to security team and Basis loses SAP_ALL.
But anyways, any Basis can override security easily. same goes for abappers... or anyone with full SE16 access... or Se38... this list goes on and on!
Snowy
_________________
SapFans Moderator
NetWeaver ‘04–SAP Web AS for ORACLE certified
Search: /forums/search.php
SAP Notes: http://service.sap.com/notes
SAP Help: http://help.sap.com
Basic Rules: /forums/viewtopic.php?t=222759
Answer:
Yes Basis and many users have to access even in production to override this but fortunately most access is "security by ignorance" rather than "security by prevention"....
Answer:
I think i get the point you are saying above.
I tried to take out the access that initially should not be given, so what i did when i revamped the whole authorisation setup, i ask the project director to sign off a piece of agreement that list users with SAP_all incase there are audit checks I will be out of the problem.
So yet, the list is still on table.
Answer:
Hi,
I think SAP_ALL authorisation is required by only those who dont know the jobs to be done by himself or individuals in the organisation. If you know your job, create a profile to fit the requirement.
As snowy rightly said the list does not end with SAP_ALL there are many such which need to be prudently protected and judiciously used.
How to Earn Rs.25000 every month in internet without Investment?
Company Policy On SAP_ALL
Labels:
Sap Basis Faqs
Subscribe to:
Post Comments (Atom)
topics
-
▼
2007
(1406)
-
▼
November
(1359)
- Free Download SAP FI Certification study pdf books
- Implementing SAP R/3 on OS/400
- Update SAP Kernel in UNIX based
- Security Audit Log (BC-SEC).pdf
- Security Audit Log.pdf
- Securities,pdf
- Secure Store & Forward / Digital Signatures (BC-SE...
- Secure Network Communications (BC-SEC-SNC)
- Free download use ful T-codes
- I did not find any OSS notes appropriate for my pr...
- How to apply OSS notes number?
- What is OSS Notes number?
- Where can i access SAP OSS?
- WHAT IS OSS
- Disaster Recovery Plan to Restore Production System
- Steps to Install SAP Note in sap
- Difference Between SAP Notes and Support Package
- Question : Subject : Support packages testing
- Five Different "User Type"
- How to solve the Time Zone Definition Problems?
- Setting the User Decimals Format
- Schedule Manager
- Various Important SAP Basis T-Code
- Trace Functions in sap
- System Trace: Error Analysis in sap
- System Trace(ST01) in sap
- Roles and Authorizations Used in Background Proces...
- Deleting Multiple Spool Requests Simultaneously in...
- Logging and Tracing in spool
- Print and Output Management in spool
- Background Job Monitoring Monitor in CCMS
- Monitoring the Database Using the Alert Monitor
- Monitoring the Operating System Using the Alert Mo...
- Monitoring Memory Management Using the Alert Monitor
- Method Dispatching Monitor in CCMS
- Remote Application Server Status Monitor in CCMS
- GRMG Self-Monitoring Monitor in CCMS
- CCMS Selfmonitoring Monitor for System-Wide Data i...
- Logfile Monitoring Monitor in CCMS
- Logon Load Balancing Monitor in CCMS
- Transaction-Specific Dialog Monitor in CCMS
- Workload Collector Monitor in CCMS
- System Errors Monitor in CCMS
- System Configuration Monitor in CCMS
- Syslog Monitor in CCMS
- Spool System Monitor in CCMS
- Security Monitor in CCMS
- Performance Overview Monitor in CCMS
- Operating System Monitor in CCMS
- Filesystems Monitor in CCMS
- Entire System Monitor in CCMS
- Monitoring the Enqueue Service in CCMS
- Dialog per Application Server Monitor in CCMS
- Dialog Overview Monitor in CCMS
- Database Monitor in CCMS
- Transactional RFC and Queued RFC Monitor in CCMS
- Communications Monitor in CCMS
- Buffers Monitor in CCMS
- Background Job Monitoring Monitor(CCMS)
- Background Processing Monitor(CCMS)
- Availability and Performance Overview Monitor (CCMS)
- SAP CCMS Monitor Templates Monitor Set
- Creating and Changing a Monitoring Pause(CCMS)
- Creating and Changing Monitoring Rules(CCMS)
- Configuring Availability Monitoring(CCMS)
- Update Repositories(CCMS)
- Displaying Central Performance History Reports(CCMS)
- Displaying Report Properties
- Scheduling and Executing a Report
- Variables in Group Names
- Creating a Report Definition(CCMS)
- Maintaining Collection and Reorganization Schemata...
- Maintaining Collection and Reorganization Schemata...
- Creating and Editing a Calendar Schema(CCMS)
- Creating and Editing a Day Schema
- Customizing the Alert Monitor(CCMS)
- Resetting MTEs and Alerts(CCMS)
- Reorganizing Completed Alerts(CCMS)
- Display Completed Alerts(CCMS)
- Automatically Complete Alerts(CCMS)
- Completing Alerts(CCMS)
- Starting Methods (CCMS)
- Processing Alerts(CCMS_
- Displaying the Technical View: Central Performance...
- Displaying the Technical View: Threshold Values(CCMS)
- Displaying the Technical View: Status Autoreaction...
- Displaying the Technical View: Status Data Collector
- Displaying the Technical View: Method Allocation
- Displaying the Technical View: Info on MTE
- Display Types and Views of the Alert Monitor(CCMS)
- Properties of Status Attributes (CCMS)
- Properties of Performance Attributes(CCMS)
- Properties of Log Attributes (CCMS)
- General Properties of Monitoring Tree Elements(CCMS)
- Properties of Monitoring Objects and Attributes
- Elements of the Alert Monitoring Tree
- Alert Monitoring Tree(CCMS)
- Monitors(CCMS)
- Monitor Sets (CCMS)
- Elements of the Alert Monitor (CCMS)
-
▼
November
(1359)
No comments:
Post a Comment