Hello Authorization Gurus,
I am working on an audit requirement to revoke certian critical permissions for a number of users.
The requirement states that a number of users (over 40) should have their permissions to view PSA Tables under certian conditions in the backend of a BW system revoked.
Now, these over 40 users come from different departments with different functions and between them have about 28 different roles assigned to them.
The critical authorisations/permissions which were audited were composed of the following conditions:
Composition of critical permissions:
S_TABU_DIS: Berechtigungsgruppe &NC&; Aktivität 03 UND
(S_TCODE: Transaktionscode SE17 ODER
S_TCODE: Transaktionscode SE16 ODER
(S_TCODE: Transaktionscode START_REPORT ODER
(S_TCODE: Transaktionscode SC38 UND
S_PROGRAM: Berechtigungsgr.ABAP/4-Programm *; Benutzeraktion ABAP/4 Programm SUBMIT) ODER
((S_TCODE: Transaktionscode SE15 ODER
S_TCODE: Transaktionscode SE80 ODER
S_TCODE: Transaktionscode SE84 ODER
S_TCODE: Transaktionscode SE85 ODER
S_TCODE: Transaktionscode SE90 ODER
S_TCODE: Transaktionscode SEU_INT) UND
S_DEVELOP: Aktivität 03) ODER
((S_TCODE: Transaktionscode SA38 ODER
S_TCODE: Transaktionscode SA38PARAMETER) UND
S_PROGRAM: Benutzeraktion ABAP/4 Programm SUBMIT) ODER
S_TCODE: Transaktionscode SUB% ODER
((S_TCODE: Transaktionscode SE38 ODER
S_TCODE: Transaktionscode SEU_INT_ENH) UND
S_DEVELOP: Objekttyp PROG; Aktivität 03)))
Contained critical values:
Objekt Feldname
S_TABU_DIS DICBERCLS ohne Berecht.gruppe (&NC&)
ACTVT Anzeigen (03)
S_TCODE TCD TCD (SE17)
S_TCODE TCD Tabellenanzeige / -pflege SE16 (SE16)
S_TCODE TCD Reports ausführen (START_REPORT)
S_TCODE TCD Systemübergreifende Programmausführung (SC38)
S_PROGRAM P_GROUP Alle (*)
P_ACTION Ausführen (SUBMIT)
S_TCODE TCD Dictionary-Infosystem (SE15)
S_TCODE TCD Repository-Infosystem (SE80)
S_TCODE TCD Repository-Infosystem (SE84)
S_TCODE TCD ABAP/4 Dictionary Infosystem (SE85)
S_TCODE TCD Prozeßmodell-Infosystem (SE90)
S_TCODE TCD Object Browser (SEU_INT)
S_DEVELOP ACTVT Anzeigen (03)
S_TCODE TCD Reporting (SA38)
S_TCODE TCD Einplanung PFCG_TIME_DEPENDENCY (SA38PARAMETER)
S_PROGRAM P_ACTION Ausführen (SUBMIT)
S_TCODE TCD Interner Aufruf: Submit über OK-Code (SUB%)
S_TCODE TCD ABAP-Editor (SE38)
S_TCODE TCD Object Browser (SEU_INT_ENH)
S_DEVELOP OBJTYPE ABAP-Programme (PROG)
ACTVT Anzeigen (03)
Now, my problem is this:
These permissions need to be withdrawn in compliance with Audit demands. However, I cannot just remove the role assignments because these roles give the users a multitude of other permissions which cannot be tampered with....Plus: They are not all simply within a single department or group or belong to one or similar profiles, but cut accross several different crosssections of the enterprise.
What is the best strategy to go about withdrawing the specified permissions listed above without tampering with the rest of the authorisations/permissions contained within the assigned roles ?
I would be very grateful for any assistance on this issue.
Best Regards,
Uche