What is the basic role?
The basic role is a container of some of the permissions that all users should have.
It is a set of utilities, not critical and useful in some moments. How should it be build up and what should it contain?
What should it contain?
The basic role should contain only non-critical authorizations and no business activities.
Such are the activities that all SAP users should have:
- SU53 Transaction, display authorization errors
- SP02 Transactions, display your own prints
- Not the SP01, read here for more details
- SMX transaction, display your own job
- Not the SM37, as it would enable users to see other jobs, beyond your own, managing and administering jobs in case of uncontrolled batch authorizations.
- SU50
- Not the SU3. Through this last transaction is possible to modify the user parameters. Most of the time user paramether are used to pre-populate the fields within transactions (Imagine a SAP ERP system that contains only one defined company. In every transaction that contains that field, will ever be necessary to value it manually). Is there a way to enhance the field with a default value? Yes,by user parameters. User parameters are used also for authorization or configuration aspects. In other words, the behaviour of certain transactions could be changed.
The basic role shouldn't include the possibility to plan periodic jobs (if required by the release) as well as it shouldn't contain critical objects; for example:
- S_BTCH_ADM - Administrative functions of job planning
- S_BTCH_NAM - Ability to plan jobs on behalf of other users Possibilità di pianificare job a nome di altri utenti (different from your own)
- S_DEVELOP - Ability to develop or display source code
It is crucial, morover, in order to ensure SAP application safety, avoid the issue of authorisations that would allow a user to access sensitive or business data.
This role could also be assigned to external users which need to access the SAP System.
In which cases the change of user parameters can be critical?
Through the OMET transaction (Settings for Function Authorizations) is possible to set up some behaviors of the purchase process. For example during the creation of odA it is necessary to insert the reference to the RdA.
This configuration is enabled if the user has the parameter "EFB Function Authorization: Purchase Order" enhanced as the configuration of the OMET transaction.
A user in this case could remove the value/parameter and bypass the control.
- Also for variants in the sales process. Through the user parameter "SD_VARIANT_MAINTAIN Authorization for variant maintenance" is possible, entering the value A, become administrators of variants in SAP sales transactions (for example VA*)
- Or else in HR systems for hours detection can be established a data acquisition profile (for example:employees or external). This timesheet format setting is configurable by the CVR user parameter. The ability to change it would result the insertion of hours on an incorrect timesheet.
- In CRM systems there is a user parameter that allows to assign all CRM business role set out CRM_UI_PROFILE
- In some systems are used custom user parameters to influence the behavior of transactions or authorizations
Attention changes to the user parameters table: USR05 are not logged by default.
How should it be build up?
Is better to create a role and assign it to all or to insert in the business roles the activities mentioned above?
The ideal would be to create an ad hoc role for all users. Repeating the same authorizations in the various collective roles entails:
- An increase in weight of the roles' documentation
- Duplication of information for those who have to approve the content of roles Una duplicazione delle informazioni per coloro che devono approvare il contenuto dei ruoli (see owner article)
- The need to remember each time that a new role is defined (professional figure) to enter the basic task.
How is it managed in the tools of Identity or SAP GRC?
A basic role can be assigned automatically to the creation of each new request. This role can be self-approved, without any iteration .
You must set up or revise your SAP authorization model, click here to find out more!
What if the organizational structure was used?
You can assign roles directly or indirectly. The directly assigned roles are those assigned through the transaction SU01 or PFCG. tramite la transazione SU01 oppure PFCG.
Whereas the roles attributed indirectly are:
- All single roles in collective
- All roles assigned to organizational positions (to which users are also assigned)
In this last case, is better to create a position with all users assigned to the basic role or assign to each organizational position the basic role in addition to the others?
To avoid performance problems and to semplify the management, even if the allocations are indirect (through organizational structure) it is raccomended to assign the basic role directly to SAP users.