Frustrated. Need Advice on SAP Security Implementation!!!

I'm very frustrated with my latest project and I would really appreciate your feedback.
I recently joined a company that's implementing SAP. They are already in the realization phase and will soon enter the final preparation stage. I was brought in to implement SAP Security. I was provided with a  compiled list of roles and tcodes based on the blueprints from the teams and this was my starting point.
I wanted to do a presentation with the teams so that we all know what my expectations/requirements are from them and vice versa. In preparation for this, I gathered their processes from their blueprints. I wanted them to break each processes into detailed activities/tasks/functions. From there, they can identify the tcodes and then the roles. I also wanted to do this approach because the company is following SOX regulations. I showed this to my team lead and the PM and the PM adviced me not to go with this strategy because there would be too much work involved. I wanted this approach because I also wanted to do the SOD but I was told not to do it because it would only confused them. He just wanted to work on polishing the list of roles and tcodes.
Some teams leads are all experienced people while other teams are not because they are working with an employee from the company. Kinda like a partnership, 1 is a consultant while the other is a team lead from the company. Which I believe is normal practice so that there is knowledge transfer.
So I had my presentation and I found out that most of the team leads have not seen this compilation of roles and tcodes. I also found out that even though they are already in the realization stage, majority of the teams have no idea what roles to give nor do they know who to give it to. I also asked for the org chart from the HR team but I was told that they still don't have it and cannot give it to me. They even asked me why I need it. They also informed me that HR structural authorizations are not going to be implemented and yet nobody can give me a damn good reason why. All they tell me is that because they don't need it.
So as you can see, I'm not getting the cooperation/support I need to be able to do my job properly. How can I when every strategy I wanted to do is being turned down? What should I do? Really need your advice on how to proceed. Your inputs are highly appreciated.
Thanks in advance!

Julius, Auke and Alex,
Im sure everyone would agree that the advice you guys offer is more than valuable. Thank you for that.
I myself have been encountering the same situation that Litz is facing except for that in my case the Management is very co-operative (and trust me, this helps a lot). My problem is that neither me nor my Management know what access  needs to be given to Consultants or IT Staff after GoLive or even now.The Functional Consultants "don't have the time" to tell me what Tcodes they need access to, and they insist that they should have sap_all, and I have no idea what access they SHOULD have.
I was going to post another thread for my questions but I guess there are already too many which address the same issue. These threads did give me a good insight on how SAP Security should be managed, and I was able to get some of it chalked out. I have a few questions though, which I wasn't too sure about even after reading through the countless threads.
Most consultants in my company had sap_all in QA since no one knew what they should be have and often had we noticed that they would be playing with the Basis Tcodes. Now knowing what they have been doing in QA, I do not want to give them sap_all in Prod (although they insisted) at any cost. So, I made a role (z:sap_all), copied sap_all, disabled Basis Tcodes and assigned it to them. Then I kept adding Tcodes one by one on request basis.
We haven't gone Live (they say that we are still in testing phase since the final cutover is due in the next few weeks) yet and I know that this cannot work after Go-Live since z:sap_all has Tcodes like SE38, AL11, SM50 etc in Prod. They say that they need these to do processing and it is okay to give it to them since we haven't gone live. I would also like to mention that my company is trying to get SOX compliant and needs these things in place.
I have been entrusted a BIG responsiblity and am trying my best to live up to the expectations and I am relying yon you guys to help me out.All the Business Roles are in place, and its just the IT roles that I'm worried about.
So, my questions are
1. Until how long is it okay for Functional Consultants to have this kind of access in Prod ?
2. After we Go-Live, would a display only role for all functional Tcodes suffice for them ? Or should they have Basis Tcodes too ? If yes, which ones (Im asking this because I know that it should be minimal)
3. I have been to told to create an "IT-Support role" by the Manager of the Implementation Partner for after GoLive. But he has no idea what T-codes it should have or what it does. Any ideas on this ?
4. I have read about the "firefighting role". Im guessing that the IT Support Role is the same as this. But what exactly does the firefighting role have? And in what situations is it assigned?
5. How important is the period before the final Cutover important as far as SOX compliance goes?
A little enlightenment on the common issues encountered after Go Live would also help me assess the situation a lot better.
I hope Im not asking too much of your time here. Thank you again guys !! Appreciate it !
Kunal

Similar Messages

  • Need advice for SAP installation on External  Hard disk

    Hi Gurus,
    I have HP laptop with configuration of 512 MB RAM and 50 GB hard disk...i recently bought 250 GB segate external  hard disk for SAP installation...My doubt here is if i  install SAP in external hard disk and will it work properly if i connect my laptop?
    ur advice is much appreciated
    Regards
    Dinesh

    Hi Dinesh,
    I have installed SAP on external harddisk.
    And it will work properly.
    But i think you need to increase your RAM.
    After installation, please keep in mind one thing.
    You will have to attach your external harddisk before your machine starts, because your OS will be in internal harddisk, so SAP and oracel services won't be able to run without external hard-disk.
    and in case you attach after system startup, please start all services.
    Regards,
    Payal Patel

  • Need advice on SAP BW career

    Hi everyone, i just wanted your opinion on some SAP BW career questions,
    1) Do i need to start with SAP FI/CO and then towarsd SAP BW in irder to become a real SAP BW professional or starting directly from SAP BW would be ok?
    2) Do i need to know SQL language?
    3) Do i need to know ABAP language?
    Thanx for you inputs.

    Hi
    1) Do i need to start with SAP FI/CO and then towarsd SAP BW in irder to become a real SAP BW professional or starting directly from SAP BW would be ok?
    Desirable but not required
    2) Do i need to know SQL language?
    Desirable but not required
    3) Do i need to know ABAP language?
    Very helpful but not necessity
    Assign points if useful
    Regards
    N Ganesh

  • Advice needed: what does your company log for SAP security role changes?

    My client has a situation where for many years, they never logged changes to SAP security roles.  By that I mean, they never logged even basic details, like who requested a change, tested it, approved it, and what changed!!  Sadly their ticketing system is terrible, completely free-form text and not even searchable. 
    Does anyone here use Word docs, Excel sheets, or some other way to capture security role change details?   What details do you capture?  What about Projects, that involve dozens of changes and testing over several months?
    I plan to recommend, at least, they need to use a unique# (a ticket#, or whatever) for every change and update the same in PFCG role desc tab, plus in CTS description of transports... but what about other details, since they have a bad ticketing system?  I spoke with internal audit and change Mgmnt "manager" about it, and they are clueless and will not make recommendations.  It's really weird but they will get into big trouble eventually without any logs for security changes!

    Does anyone here use Word docs, Excel sheets, or some other way to capture security role change details? What details do you capture? What about Projects, that involve dozens of changes and testing over several months?
    I have questions:
    a) Do you want to make things straight
    b) Do you want to implement a versioning mechanism
    c) You cannot implement anything technical, but you`re asking about best "paper" practise?
    The mentioned scenarios can be well maintained if you use SAP GRC Solutions 10 (Business Role Management)
    Task Based, Approvals, Risk Analysis, SOD and role generation and maintenance in a structured way (Business Role Management). Workflow based, staged process with approvals.
    PFCG transaction usage will be curtailed to minimum if implemented fully.
    Do we really want to do things "outside" PFCG?
    @all:
    a) do you guys use custom approval workflows for roles?
    b) how tight your processes are? how much paperwork, workflow, tickets, requests and incidents you have to go through to change a role?
    c) who is a friend of GRC here, raise your hand
    Cheers Otto
    p.s.: very interesting discussion, I would like to learn something here about how it works out there in the wild

  • N00b needs advice---community college SAP course

    Hello experts,
    Iu2019m here for advice and help. I had started looking into SAP a while back but for other circumstances I had to put that to the side for a while. Now Iu2019m back more motivated then ever and ready to absorb all the information possible. As you read my post keep in mind that Iu2019m a complete beginner and have never used SAP. My field of work now has nothing to do with SAP, Iu2019m a laboratory technician and thatu2019s where my question comes in; will a class like the ones below help me land a job that with time I can make a career? Also which of this classes would you recommend that have the most opportunity for advancement and growth?
    My community college offers several courses in SAP, but all the classes are geared for the professional using SAP in their own work environment, during an implementation, upgrade, or maintenance, or through consulting work. SAP version 6.0 is used in class. These classes are not part of training to pass a specific certification.u2026
    Classes offered:
    SAP End User Applications
    SAP FICO Financial Training
    SAP Logistics Training with Materials Management and Production Planning
    SAP Production Planning Training
    SAP Security Training
    SAP Security Training Advance
    Each class is $1450.
    Also have any of you ever become certified in a specific module of SAP without paying the big bucks for the SAP classes?
    BTW, I know $1450 is a very small amount compared to what the real SAP classes go for. I just donu2019t know if itu2019s worth it for what Iu2019m receiving in exchangeu2026

    Anybody? Just some advice will help. Breaking into the SAP career is difficult if you don't have the money to pay for the classes, I just want to know if there is a another way to get your foot in the door.
    Regards.

  • SAP Security On A New SAP Implementation

    Hi Gurus,
    I'm going to be part of a team that will be implementing SAP Security with a company that's implementing SAP. My experience has always just been on the maintenance and support and I was wondering security wise, what's involved during the implementation stage. What are the things to be done or considered when implementing SAP Security? Are there steps to be followed? What is the best strategy for implementing authorizations?
    Thanks in advance for answering my questions and enlightening my junior mind.
    JB

    Hi,
    SAP Security implimentation process follows the Authorisation Methodology. In this we need to follow the phases which are 
    1._Requirement_ :In this Implimenting parttner team comunicates with end user and prepare the S.O.D.  As per S.O.D implimenting partners prepare the _Role matrix ._
    2._Analsys:_ as per role matrix based on rules and regulations consultants educate the end user.
    3. *Implimentation* :   As per role matrix Single role,composite rople,derive role will be Develop and securing table ,reports.transaction which are critical.
    4. Quality check and test: developed roles are move to qulity system and testing will be done  as per approval from the decision maker role are move to the production server.
    5.Cutover: this roles are assigned to the users and system goes to live.
    Underlined and bold words plesase cocentrate deep.
    Thank you.

  • SAP Security Planning and implementation with SOX/SOD compliance

    hello
    Hi guys, i am a security guy
    could you tell me ,"SAP Security Planning and implementation with SOX/SOD compliance" 
    what does it mean.
    <removed_by_moderator>
    thanks
    Ramesh
    Edited by: Julius Bussche on Feb 2, 2008 1:26 PM

    Ramesh Sammiti wrote:>
    > hello
    >
    > Hi guys, i am a security guy
    >
    > could you tell me ,"SAP Security Planning and implementation with SOX/SOD compliance" 

    > what does it mean.
    >
    >
    > <removed_by_moderator>
    >
    >
    > thanks
    > Ramesh
    Forgive me for saying, but it means:
    Implementing security which complies with Sarbanes Oxley requirements and takes into account Segregation of Duties.
    SOX and SOD are different things, from a security perspective SOX is generally technical security based and SOD is business process based (although bus proc has big SOX component).
    There is a plethora of information via yahoo/google etc.
    Edited by: Julius Bussche on Feb 2, 2008 1:28 PM

  • SAP Security handover from the Onshore Implementation team Documents

    Dear All,
    We are an Implementation & Support Team and we are getting SAP Security handover from the Onshore Implementation team where in future we ought to continue the Implementation.
    Please could you let me know what others documents which we require for handling the complete security landscape for our Scenario!
    CRM, BI, BS, SOLMAN, EP and PI
    Please suggest any other documents besides the below or any other specific details with respect to each Module,
    u2022           Enterprise-Wide Role Matrix
    u2022           Role Implementation Framework Prototype
    u2022           User Authorization and Strategy Management Procedures
    u2022           User Role and Authorization Concept Technical Design
    u2022           SAP Security Organization Hierarchy Requirements
    u2022           Transaction to Role Mapping
    u2022           Role to Position Mapping
    u2022           Available authorization policy documents
    u2022           Role matrix with segregation of Duties
    Many Thanks

    What do you have defined for your support?
    Presumably you have quoted a price per call but what do you cover and how do you calculate the charge to your client?
    Please let me know so that I can undercut your quote.
    Damn - forgot to ask who your client was and the contact name.
    Cheers
    David
    Edited by: David Berry on Feb 11, 2011 12:29 AM
    Edited by: David Berry on Feb 11, 2011 12:30 AM

  • HELP: New to Mavericks. Need advice on setting up secure user accounts

    Hi,
    I need advice on how to best set up user accounts on Mavericks.
    I must set up an Administrative account...Any suggestion for best settings here to protect against targeted malicious exploits?
    I would also like to set up two user accounts for everyday work with applications and Internet browsing done in such a way that the machine would be protected from malicious attacks but with a minimum of inconvience for the users ( myself and my wife ).
    Thanks

    Hi hassiman, any exploits will come in the form of users downloading suspect pieces of software like browser add-ons and extensions, device drivers and non-trusted apps.
    Make sure that you do not use the admin account for any day to day use
    Create two normal user accounts, one for each of you and use them day to day
    When using the admin account to set up your system, pay very careful attention to the System Preferences > Privacy & Security area. There are various things to set up properly here:
    There are three settings for how people can download software, 1) From Mac App Store only, 2) From App Store and registered developers and 3) from anyone. It defaults to 2) but check it and if you feel uncomfortable with that, set it to 1). This might prevent you from downloading and installing software you think you might need; but think carefully about wether you really need it and therefore wether you should temporarily allow it via a lower setting.
    For the firewall, if you dont have a firewalled internet gateway device (a wireless router or similar), make sure the firewall is turned on. Most internet connection equipment does have such a firewall; make sure it is blocking any incoming connections by using its admin tool (usually a web browser interface). Consult its documentation for details.
    Whenever OS X asks for a password to complete a task of any kind, look carefully at what is making it ask and if you aren't sure, don't go through with it; it is usually wanting the admin account name and ppassword to complete some kind of system modification (install, config etc.).
    Make sure that you are both aware of the danger of installing any software that wants to add itself to your system or web browser. Things like custom search bars, extensions etc. If you are viewing a web page and it says you need "x" to see it or use it properly, make sure you really need to use that web site; otherwise don't do it.
    It really all comes down to common sense; the worst security breaches and damage come from users who don't know what to do, but they still click "OK" when they should be clicking "cancel" or "close". Make sure you and your wife are fully aware that responsibility lies with yourselves. It is better to take a minute to decide wether to install something (even if it's 20 times a week) than spend days fixing a compromised system.

  • Need advice on Career in SAP after completing 9 yrs in IT mainly in Telecommunication Domain with BMC Remedy Tool knowledge

    Need advice on Career in SAP after completing 9 yrs in IT mainly in Telecommunication Domain with BMC Remedy Tool knowledge.
    Which Module of SAP I can learn and get into as I have Tool based knowledge in BMC Remedy and fair knowledge in SQL, as I come from non-IT background. What are career prospect after completing  any SAP module now will my previous experience will be taken into account?

    Prashant,
    One of the reasons nobody has replied to you yet is that, this is a question with so little information provided.
    - There is no mention of your education background.
    - Your work background is very vague.What exactly did you do in Telecommunication Domain?
    - What exactly did you do in BMC Remedy? Where you just an end-user or did you do any background support work?
    - What exactly did you do in SQL? Did you work on it or did you just attend training?
    - Why do you want to jump into SAP? And what precisely you want to jump into in SAP?
    - What are your interests? Technical or Non-technical?
    - What's your career objective? Where do you want to be 5 years from now?
    Without providing these information how can anyone help you? Picking a module and going with it makes no sense. What if you spend an insane amount of time and money learning a module in SAP (based on some random suggestions given here) and realize that this is not what you were looking for, or there is little scope for that module in the market? What then?
    It's your career that you are planning. It definitely deserves more thought-process and planning to go into.
    pk

  • Help needed- SAP HANA implementations and costing

    AS a project Manager, I am interested in knowing the details on SAP HANA implementation.
    If any company wants to use HANA then whats should be the cost of appliances, related software's and integration with netweaver?
    How the costing will be decied if any company wants to migrate to HANA?
    Pleae help

    Thanks Krishna and Raj for the info.
    I also found blow link very informative in terms of costing related to Hardware, infra, software etc, do read if u get time.
    http://public.dhe.ibm.com/common/ssi/ecm/en/xsw03127usen/XSW03127USEN.PDF
    If anyone has mre views then pls share

  • Need SAP B1 Implementation FAQ's

    Hi Experts,
    This is krishna  ,  at present am on SAP XI , and now iam taking training on SAP B1 implementation, so plz any one help me and forward me Faq's PLZ..
    Thank u to all

    Hi,
    Hope the following link will be usable for you,
    https://www.sdn.sap.com/irj/sdn/wiki?path=/display/b1/faq
    Regards,
    Venkatesan G.

  • What are the Essentials for a Sap Security Consultant.

    Hi Gurus,
    I have completed a Implementation in which I alone handled the entire Security . It is a defense client .
    Now I am technically expert at security. But I have no functional knowledge.
    Implementing Security in SAP one needs to have knowledge of funtional process as well. The course that are purely technical stuff and I have good idea of techincal stuff.
    The Question is what is a Sap Security Consultant expected to know . And how to go about acquiring that knowledge?

    Hi Hussain,
    There is a little bit of release-dependent-everything in this thread: Authorization for VAP2 in conflict with VD02 for F_KNA1_GRP
    Try solve it and you will understand that you need the requirements (without that you are anyway doomed) and the knowledge and the appropriate access to create / test it.
    BAPI's are remote enabled stable interfaces to SAP standard functionality. They are the best examples of combining functional, technical and standard skills in a sustainable way without creating a mess (a mess, way beyond the bounds of your concerns...).
    If you learn to use the available tools and information sources, then you dont need to stress about the essentials, even if your customer makes a design error before or after your advice.
    Cheers,
    Julius

  • Getting started in SAP Security

    Hi guys,
    I've been in the industry working as an ETL developer, designer and DBA for a few years now, although mostly worked in a non-sap environment.
    I'd like to get into SAP Security. I need your input in getting started.
    What's a good place to started. So far, I've started looking at some webcasts at SDN.
    What else can I do?

    Hi Ravi,
    How about this for a suggestion - 2 years each:
    1) - Development (a.k.a. "Techi") - such as ABAP.
    2) - Functional consulting (a.k.a. "Funki") - try to specialize in an area.
    3) - XI (not sure what the "a.k.a" is...)
    4) - then SAP Security...
    (you can also juggle 1 and 2, or combine them to the best possibility... and get informed about the new stuff... but you will often meet chicken-or-the-egg there...)
    (optionally you can either start, or end, with auditing...)
    Much like Ben´s advice, this is just a suggestion for you to take a medium term approach without giving up after a few days.
    Cheers,
    Julius

  • SAP Security Note 1487730

    Last week we saw SAP releasing its SAP Security Notes as per its SAP Security Patch Day Practice .
    One of thenotes released was related to a BUG FIX in a Kernel as per note 1487730
    https://websmp130.sap-ag.de/sap/support/notes/1487330
    Now the issue goes this way .
    We are on Kernel 7.01 SP Level 79.
    According to the NOTE we need to be atleast on SP Level 103 .
    When I check out at Marketplace I can only Find SP Level 111 which is the latest and released on 14.10.2010 ie. 2 days after the NOTER was released .
    Apprantely we follow a Thumbs Rule here to Implement the Kernel which is lower than the latest Kernel .
    The issue is I cant find Kernel SP Level 103 .
    Is it safe to go for SP Level 111 .
    Our Database is ORACLE 10.2.0.4
    OS PLatform :- Solaris Sparc 64- Bit NON UNICODE
    Regards,
    Ashish .A. Poojary
    Edited by: Ashish Poojary on Oct 21, 2010 7:10 AM

    Hi Ashish,
    Generally the rule of N - 1 is followed for SAP Application patches and not for kernel.
    You can go for latest kernel, it will not be any problem.
    Thanks
    Anil

Maybe you are looking for

  • How to know the TNS_ALIAS of a Remote Database Connectivity ??

    Hi , I have a Remote DB Connection and a Local DB Connection in my System I want to create the Same Table and Data From my Remote DB Connection to Local DB Connection . I have used CREATE TABLE LOCAL_TABLE AS SELECT * FROM REMOTE_TABLE@TNS_ALIAS; But

  • After Effects Rendering Queue has Stopped Working

    Hello, Everyone: Just yesterday, I was having a blast creating some shine-through text animations in After Effects. Today, while working on a new project, the Render Queue just hangs when I try to render my project. Is there any way to fix this? Than

  • Download error. No error code in Creative Cloud (new iMac).

    Only suggestion to contact the support team Can't see the apps at all. It is only a blank box with the error message. I have had the apps installed on another iMac, but they are inactivated. Have tried to uninstall and install CC again, but the same

  • HT5312 Not receiving rescue emails.

    I have forgotten the answers to my security questions, so I have requested a rescue email.  These emails do not come through at all. To confirm my email, I have added it as an alternate in my profile.  This came through within seconds and was verifie

  • Outbound merge not working with where conditions in 10g

    Hi, These are my database details both remote and local database SQL> select * from v$version; BANNER Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bi PL/SQL Release 10.2.0.4.0 - Production CORE    10.2.0.4.0      Production TNS for H