Read this before you read the blog

• I am not a trained professional on SAP Net weaver
• I have been working on Security and Authorizations for the past 3+ years
• The views I express here are what I see and feel and have nothing to do with the company I work for, nor the project I work on

When I first joined the community, I was impressed by the first few interactions with the "experts" of the SDN Community. In fact, to be honest, I was (maybe I still am) in awe of the in-depth knowledge a few people had. I was impressed by their conviction to provide solutions. I felt I had a chance to ask, to learn, to interact, to share BUT.......... over a period of time I somehow feel distanced with the activities on the forum - partly due to being pre-occupied with my own work (going through a horrendous Audit exercise (as all audit exercises are :-)). The other big factor is the kind of questions posed and the equally appalling answers

Sometimes, it makes me wonder if we were better off being "Neanderthalians" than being "SAP-phobics" or "SAP-holics" or so called "under cover" Security experts (many users tend to do this - by not giving the correct name, , they derive some kind of eerie and innate sense of thrill and pleasure, - I guess......). I somehow have this strange feeling that in a matter of few months the standard of the forum seems to have slipped into a "not so nice" state.

There are quite a few qualified experts working on different requirements to satisfy their project needs, but I am beginning to wonder about the commitment and interest shown in what is posted on the forum. I guess they fail to understand that the ideas expressed are a mere reflection of the core understanding on Security related issues that have been built over years of working on them.

If I could really change something, I would like SAP to stop teaching people the usage of ST01 (make no mistake, I am a "no brainer" on that one). I know I cannot use the complete functionality of ST01, I know it is a great thing to know and learn - but guys, give me a break...Having some common sense is more important and elementary.......you bet....eh? Global warming, un-employment, poverty........you cant have a trace "on" to solve these.............i have read posts where the operator wanted to develop a profile for user having SAP_ALL and the answer was to trace the user and give him all that he accesses..........c'mon if this is not ridiculous, i fail to understand what else can be?

I have sometimes seen ridiculously simple and sometimes thought-provoking issues evoke answers from multiple experts, all of them quoting "go to ST01 switch on the trace and see the objects that are called and build a role with the objects" . Can this get any dumber? Try going to a transaction like VA01, switching the trace on, seeing how many objects are shown in the log, do you think all of them are needed for executing VA01? A basic thought that should guide us, would be to realize that SAP has given many different functional possibilities to use from within VA01 (maintain credit data, customer master, send data to Other systems, etc......... But if I don't use all that, then why should I give all objects that are called in the trace? Ever thought of that?

If the question from an operator is "I want to delete a specific item from a document", the immediate equi-vocal response seems to be - "go to ST01 check if the object so and so is called, give access on the object and you can delete". Very few people on the forum seem to bother or try to understand or question the operator on what they intend to do. Why does the operator want to do something that is abnormal? And when we give the right answer to the operator we tend to answer his question without explaining why? Personally, I think this is prompting more users to log in and check for quick fix solutions than really spreading (If only the Forum could give quick-fixes to all my problems with "segregation of Duties" I would have been in Santorini, I think :-))

The other major "nervy" factor on the forum is the usage of transaction variants. I guess there are a lot of people living with the mis-conception that one-glove fits all!!! Transaction variants are NOT the only option for everything you want to achieve contrary to what SAP has provided. So please think twice before answering and refrain from having this as an immediate answer for every question posed on how things can be achieved for particular restrictions if there are no check indicators provided.

The last but not the least in-digestible set of answers are the ones that say "Yes, I agree with so and so". Guys, please -give others a break, no one wants to hear from you if you have nothing more to add or share than what so and so has suggested. I don't understand the human factor of wanting to bond and show a level of "follower-ship" here. I don't understand the psyche to bond on a professional forum (that is what it is supposed be, isn't it?) Kindly note that you are wasting everyone's time and you get no brownie points by being a "die-hard" fan or follower.

Finally some finer points: Overall this is an excellent forum for knowledge sharing. Some of the experts deserve a standing applause for their in-depth knowledge, commitment and conviction to share their expertise and provide timely, valuable advice. It's fun to read the mini scraps (arguments) too as they hint at their confidence levels. The experts who bring the audit aspects of the security requirements to this forum are commendable and worth reading.

Let's not allow this to degenerate into some quick fix solutions site and lets try to maintain the momentum and standards set by these experts!

I don't want to mention the names of the brilliant guys...as I mentioned in the blog header ... I am a rank outsider and these are just my mere observations.