This website is not affiliated with, sponsored by, or approved by SAP AG.

Basis Admins & Authorizations/profiles

Basis (Basis Technology Modules: Basis Component/System Administration, GUIs)

Moderators: Snowy, thx4allthefish

Basis Admins & Authorizations/profiles

Postby miataboy » Mon Mar 03, 2014 9:56 am

SAP pals:
Need everyone to answer this one please, it is intended as a sorta poll: :mrgreen:
I, as basis Admin/DBA, am not in charge of authorizations/profiles in the company I work for. (but for my previous employer I was) The functional area oversees these. We have an argument with my CIO; I say Basis Admin should manage all security issues and he says we cannot on the grounds that the functionals should manage their own permissions. As it stands, we have serious breaches because lots of users have access to sm51 & db13.
If DBA's manage DB security it is only logical that Basis Admins manage SAP security.
Many of you are consultants so please comment on what you have seen at your clients' companies. I appreciate everyone's feedback whether you consult or not.

Thanks & best regards,
Claudio
PD I know this probably belongs to the security forum but I ask Snowy please not to move it because I need Basis admins to answer.
miataboy
 
Posts: 500
Joined: Thu Jun 05, 2003 12:22 pm
Location: 180mph, you're in my rearview mirror..

Re: Basis Admins & Authorizations/profiles

Postby miataboy » Thu Mar 06, 2014 9:15 am

OMG....18 views and no replies??? :cry: Not even snowy?? :shock:
I'll have to post in ....aghhh.. :idea: ...the other scn.... :mrgreen:
miataboy
 
Posts: 500
Joined: Thu Jun 05, 2003 12:22 pm
Location: 180mph, you're in my rearview mirror..

Re: Basis Admins & Authorizations/profiles

Postby Zavaros » Sun Mar 09, 2014 1:16 pm

Hello,

in small company the Basis administrator is the God. He is the security officer, the incident manager, the change manager and in lot of cases the lead developer also.
The HR project manager very-very hated me when I demanded list of transactions that will be used in the department... as Security officer without HR knowledge I had no other chance... :oops:

In big companies you can not handle everything yourself. Your main task is to keep the system alive despite the users efforts.

If it is properly planned a single security department should handle all the user roles. Centralization helps to work according current policies. On other hand it makes the organization rigid. That's why it is normal to involve the key users of each department.

... so my opinion is that It is not important if you have 1 single authorization team or several, distributed to each department but if they are aware of consequences of their actions.

Look at the advantages (Sad but serious):
- if lot of users can delete entry from DB13 then you can not be responsible that the UpdateStats have not run when it should...
- Same for SM51. If users can jump from one server to another then the whole load-ballance policy is out of order.


Last remark (realy):
the need-to-know policy is good in case of single-task operators. They do trouble only if they have access to extra information.
Troubleshooters need access to wider information resources. You can profit from information share if the departments do the first incident assessment by them-self.

Regards,
Zav
Zavaros
 
Posts: 756
Joined: Thu Oct 24, 2002 10:50 pm
Location: Hungary

Re: Basis Admins & Authorizations/profiles

Postby Snowy » Wed Mar 12, 2014 1:33 pm

Basis admins should NOT handle SAP Security.
Functional staff should NOT handle SAP Security.

someone should handle SAP Security and do this only... .unless you work for a very small company.
SapFans Moderator

Search: http://www.sapfans.com/forums/search.php
Notes: http://service.sap.com/notes
Help: http://help.sap.com
Rules: http://www.sapfans.com/forums/viewtopic.php?t=344127
Snowy
 
Posts: 28768
Joined: Mon Oct 21, 2002 2:33 pm
Location: 3.1415926535

Re: Basis Admins & Authorizations/profiles

Postby miataboy » Wed Mar 12, 2014 1:39 pm

Thanks Zav & Snowy.
Our company has no security folks....K if you had to choose between functionals & Basis, who would you choose? Who would have the most "ethical" profile ??
Rgds,
Claudio
miataboy
 
Posts: 500
Joined: Thu Jun 05, 2003 12:22 pm
Location: 180mph, you're in my rearview mirror..

Re: Basis Admins & Authorizations/profiles

Postby Zavaros » Wed Mar 12, 2014 7:00 pm

hi,

Ethical? :roll: interesting point

... you mean you should be trusted because you have not deleted the database yet?

Regards,

Zav

PS: the genie was already released from bottle. Users will not allow to reduce their authorizations.
We started role normalization when there was over 600 standard roles for 1000 users. It was a pain.
Zavaros
 
Posts: 756
Joined: Thu Oct 24, 2002 10:50 pm
Location: Hungary

Re: Basis Admins & Authorizations/profiles

Postby miataboy » Thu Mar 13, 2014 9:38 am

Hi Zav,
What I mean is which is more arguable:
* Functionals in charge of authorizations, which can lead to granting themselves a wide-open door with asterisks everywhere.
* Basis in charge, but we already have total control of the whole system so our additional management of authorizations could seem like too much control in our hands.

Maybe this is a question with no answer ... :oops: :cry: :shock:
miataboy
 
Posts: 500
Joined: Thu Jun 05, 2003 12:22 pm
Location: 180mph, you're in my rearview mirror..

Re: Basis Admins & Authorizations/profiles

Postby Snowy » Thu Mar 13, 2014 10:15 am

it's all the matter of trust!
Who does your company trust more?

Is your company a public company (Company is in Stock exchange)? if so, someone out of Basis and Functionals should handle security.


Also, My feeling is that Functionals understand more what can be given to people as they understand the needs of users.
but... some companies will prefer asking Basis to handle Security but receive hints from Functional teams.
SapFans Moderator

Search: http://www.sapfans.com/forums/search.php
Notes: http://service.sap.com/notes
Help: http://help.sap.com
Rules: http://www.sapfans.com/forums/viewtopic.php?t=344127
Snowy
 
Posts: 28768
Joined: Mon Oct 21, 2002 2:33 pm
Location: 3.1415926535

Re: Basis Admins & Authorizations/profiles

Postby miataboy » Thu Mar 13, 2014 10:27 am

Thanks Snowy.
No we ain't on the stock but we are an utilities company.
The problem is the functionals have over-granted permissions, many users have access to sm51 and db13 meaning they can shutdown the system so the functionals have done a sloppy job.
So I wanted to gather a trend, even if it is a "vox populi" argument fallacy :mrgreen: so Basis takes over the authorizations task. But it is tougher than I thought to spot a trend, there is not a general consensus. :roll:
miataboy
 
Posts: 500
Joined: Thu Jun 05, 2003 12:22 pm
Location: 180mph, you're in my rearview mirror..

Re: Basis Admins & Authorizations/profiles

Postby Zavaros » Fri Mar 14, 2014 4:09 am

Hello,

my problem with your idea is that you speak only about the Basis rights spread out too wildly.

Lets imagine, you centralize the authorization.

what will you do when an FI user asks for HR authorization?
    - as the 1 step you'll send back the request with 1st dumb question: do you really need this authorization? (of course he needs it that's why the request was opened)
    - then comes the 2nd dumb question: Is any other solution for the issue? (user does not have other solution and does not care)
    - sometimes there is the 3rd dumb question also: what process will be blocked if user does not get the authorization(user can name any process. You will be not able to compare the financial loss with the cost of security leak you create by giving the authorization)
    - you are out of questions. You did everything you can. Now you can give him the required authorization.

... or you can:
    - investigate the company processes,
    - check whether the user's work instructions/tasks are in sync with it
    - check inside the SAP system the processes and workflows are set accordingly.
    - compare it all with SAP best practices.


Regards,
Zav
Zavaros
 
Posts: 756
Joined: Thu Oct 24, 2002 10:50 pm
Location: Hungary

Re: Basis Admins & Authorizations/profiles

Postby miataboy » Fri Mar 14, 2014 9:10 am

Hi Zav,
my problem with your idea is that you speak only about the Basis rights spread out too wildly.


actually my problem is I want to take away the functionals' domain over authorizations because they have "spread them out too wildly" i.e.,granting allaway sm51 & db13 carelessly. So I was hoping you'd all say Yes Basis Rules PFCG... :mrgreen:
For all the dumb questions you mention: in my previous job I was in charge of authorizations and when a user asked me to grant him permits, the request was forwarded to the functionals and they approved/denied it. But I had full control over the dangerous transactions which now is not the case, so the functionals are messing with my area. We all know the system can be crashed thru sm51 ... :oops: :twisted:
miataboy
 
Posts: 500
Joined: Thu Jun 05, 2003 12:22 pm
Location: 180mph, you're in my rearview mirror..

Re: Basis Admins & Authorizations/profiles

Postby Snowy » Fri Mar 14, 2014 10:43 am

My Security specialist ALWAYS ask Basis team when someone ask to grant Basis transactions.

Then the Basis team gives an OK... or rejects the request.

An HR functionals should have the right to disallow any HR related transactions. Right?
So, you should have a right to deactivate Basis transaction to anyone else.


so now, request to take out any Basis transaction you do not want people to use. Send this to thr functionl staff that handles security. If they don'T want to do this, escalate to your superior.

good luck.
SapFans Moderator

Search: http://www.sapfans.com/forums/search.php
Notes: http://service.sap.com/notes
Help: http://help.sap.com
Rules: http://www.sapfans.com/forums/viewtopic.php?t=344127
Snowy
 
Posts: 28768
Joined: Mon Oct 21, 2002 2:33 pm
Location: 3.1415926535

Re: Basis Admins & Authorizations/profiles

Postby Zavaros » Fri Mar 14, 2014 11:00 am

Hello,

Basis rules! You are already semi-god.
You can do anything in the system and nobody will notice it because you have control over the logs and monitoring.
The only thing you can't do unnoticed is deleting the whole database.

so... yes we can say that if this might have not corrupted you yet... then you are immaculate and you can be trusted more.
but can be said also that you should not be tempted any further.


as mentioned before: the system stability is not your responsibility as soon as too many people has basis authorization. Management decision is required to handle this threat.

Regards,
Zav

PS: asking HR expert about the authorization of FI guy. It is trivial and useless. What happens if the expert denies but the user insists that he needs it? you have to find a solution in environment where nobody is interested in proper one.
Zavaros
 
Posts: 756
Joined: Thu Oct 24, 2002 10:50 pm
Location: Hungary

Re: Basis Admins & Authorizations/profiles

Postby miataboy » Mon Mar 17, 2014 10:04 am

Thanks Snowy & Zav.
This is where the shit hits the fan :
The functionals' leader is now the CIO, no one took his previous post so he now rules over both. Now ya see I'm almost drowning in shit..... of course all these suggestions have been made, to deaf ears. My only hope was getting 50+ replies of you all backing me up, since all googling as to best practices has turned up NOTHING, so the CIO would realize how far off the track his policies are. I have a 12 year track of not having SAP crash once because of bad admin, but it is worrisome that any user can bring this to an end if he finds out he can use sm51.
Seems I'm gonna have to live with it.
miataboy
 
Posts: 500
Joined: Thu Jun 05, 2003 12:22 pm
Location: 180mph, you're in my rearview mirror..

Re: Basis Admins & Authorizations/profiles

Postby Zavaros » Mon Mar 17, 2014 10:35 am

Hello,

you are right ... but maybe it is not as dark as you see it.
Have you created statistics: who and how often triggers the harmful BC transactions?

other important questions:
why do the users think they need these transactions? If you eliminate the reason it will be easier to persuade them to reduce the authorization.
- Did they learned it on their SAP training? (remove it from training material! like SE16 and SE38)
- Does the system has bad performance bottlenecks and users are trying to find a spot where their job finish fast?

Regards,
Zav
Zavaros
 
Posts: 756
Joined: Thu Oct 24, 2002 10:50 pm
Location: Hungary

Next

Return to Basis

Who is online

Users browsing this forum: No registered users and 6 guests





This website is not affiliated with, sponsored by, or approved by SAP AG.