Skip to Content
Although I started working with SAP in 2000, I didn’t get around to doing my ABAP Certification till 2005. My second assignment after certification was to rewrite an SAP report-writer transaction in ABAP Objects, and this was a great assignment because it made me really think about SAP’s “project/wbs/network/activity” backbone that I had previously taken for granted. In particular, suppose there’s a big project P with lots of sub-projects with lots of wbs’s with lots of sub-wbs’s associated with lots of networks associated with lots of activities. Can SAP’s current role-based/transaction based security be configured “out-of-the-box” to permit a given staff-member to access information on certain sub-projects or wbs’s or sub-wbs’s or networks and/or activities within the project P, but not information on other sub-projects or wbs’s or sub-wbs’s or networks or activities within the project P? If so, then could someone explain how? (25 words or less, of course.)** But if not, then it seems to me that a piece of software that protects project sub-areas in this way would be a “gimme” for the SAP marketing and sales teams, because it’s so easy to play on guilt, fear, and paranoia when trying to market and sell this kind of thing. **Please note that I don’t mean using transaction-based or role-based security to protect certain types of materials. I mean keeping a staff-member from accessing the same type of material in one sub-project but allowing this access in a different sub-project (for example).

To report this post you need to login first.

4 Comments

You must be Logged on to comment or reply to a post.

  1. Michael Nicholls
    Hi David

    I’m just a techie type, but I would hope there was a suitable authorization object that could be used. Looking in SU21 I see there is an auth object C_PRPS_ART that contains the fields PS_PRART and PS_ACTVT.

    Is this useful?

    (0) 
    1. David Halitsky
      Michael –

      Thanks for taking the time to reply. I didn’t want to mention authorization objects (AO’s) in the original post because I wanted to see first if they came up in any responses.

      The first problem with trying to do project-based security with AO’s is that the actual restrictions must be expressed in application code, which makes these restrictions highly clumsy and time-consuming to implement and highly unvisible.

      The second problem with trying to do project-based security with AO’s is that robust project-based security cannot possibly rely on binary “up-down”, “yes/no” restrictions.

      What is needed is a piece of software which has the ability to make decisions like this one:

      “Oh – David is working on subproject Px of project P but he’s trying to access info on subproject Py.  He has no “need to know” for info on subproject Py so I’m going to block the access and generate an alert to security”

      versus this one:

      “Oh – David is working on subproject Px of project P and he’s trying to access info on subproject Py.  There probably is a legitimate need-to-know here, so I’m going to allow the access but still generate a less-serious alert to security.

      versus this one:

      “Oh – David is working on subproject Px of project P and he’s trying to access info on subproject Py.  Although Px and Py have been declared as separate subprojects for administrative reasons, there is a clear subject-matter relation, so I’m going to allow the access and not generate any alert.”

      The third problem with trying to use AO’s to implement project-based security is that they force us to conceptualize project-based security in the wrong way.

      Project-based security must be conceptualized as a “triple (P, D, N) where P is the organization of  a project, D is the organization of data relevant to the project, and N is the network providing access to D to staff of P.

      Any other approach merely hand-waves the important (and exciting) questions.

      Thanks again for taking the time to reply and thereby giving me an opportunity to further the rant.

      (0) 

Leave a Reply