Common Practice In SAP Security
In daily support we often find some issue which turns out to be strange to us but we ignore the same and go with instant fix which might not solve actual issue. This article is to find some practice which may reduce few of our daily effort in long run. Here are three examples which I noticed so far
- Development Dependency
- Always Note Object Status
- Trace Is Application Server Specific
Sometimes we found that role across prod and dev are not in-sync though that role has been migrated last night! Well it happened because transport order was not followed properly. A good way (and popular too!) to see transport order is as per below.
Transaction -> SE10 –> Goto –> Objects in Requests (It fetch data from table E070 & E071)
Then object selection for role (i.e. ACGR) and the role name. However here default option for request status is always released. So we will get lists of those TR(s) having the role with status released. But what about the TR(s) yet to be released having that role captured few times back? So while executing the above task we just need to check Modifiable button as well.
So someone attempting to make any change in the same role has to make sure that his/her TR goes after all the TR(s) moved to next system (QA migration as well as Prod migration). It is always advisable to do this dependency check just before making change to that particular role.
Note: Child task will be shown by above for CTR not yet released. We can find their parent in E070 table or in SE10 directly.
Always Note Object Status
There are 4 statuses that an object can have in a role as given below.
- Standard – Values proposed from customer table/org level
- Maintained – The open field maintained only
- Changed – Values proposed by customer table has been changed
- Manually – Object manually added
Note: Besides name also refer to legend for a role inside profile generator (Ctrl+Shift+F8).
Dark blue for maintained & changed but the difference is that for maintained those fields were empty. But for changed one, some values were proposed by customer table which has been changed.
Objects with status standard & maintained are of kind good people who normally do not give us trouble. But the later two will often come to trouble us. How?
- Changed – It is often noticed that people change standard value directly without any back up of standard or maintained one. Now someone made change to that role in future and generate profile by reading role menu. Then standard value will be proposed again in a new tree. And if this new tree remains unnoticed then accidentally we may add some extra authorization! To avoid these things we always should make a copy of authorization then change the standard value. After the same inactive the standard/maintained object.
- Manually – Manually added object do not have any link with customer table. So if we add this for a specific tcode and in later days that tcode might be removed from the role but the object will still remain in the role. So it is always advisable to update customer table (USOBT_C) via SU24 and then generate/regenerate the corresponding role
Trace Is Application Server Specific
Trace (Transaction ST01) is very useful for all security administrators to find out missing authorization for single/multiple object at a time. But sometimes after running trace with help from user we may found nothing get tracked! This happens as ST01 trace will always track for specific application server only. And often in production server there will be multiple Application server. So if user and administrator remain in different application server then trace will end up with nothing!
How to check application server? Below are few methods I do follow.
- Transaction AL08 – For all application server
- Transaction SM04 – One application server at a time
- Screen details – Well here we have to ask user for the information to see from right hand bottom corner for any screen
Now if administrator and user are in same application server then its fine else administrator is advised to change application server as per user via SM51. Need to double click on desired application server name where user is logged in. Now proceed with normal trace procedure.