cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Fiori Rapid Activation, Question about roles

RaminS
Participant

‎01-31-2024 1:56 PM - edited ‎01-31-2024 6:24 PM

0 Kudos

We recently discovered the process of installing Fiori apps using Rapid Activation process. 

RaminS_0-1706708993519.png

I'm wondering which team usually runs this process? The Fiori Admin, Basis, Security?

The  tool creates and activates odata/app services, then it creates new Z roles as copies of SAP's business roles. Those SAP roles are wide open and have tons of authorizations with blank activites *. There is no way our Security team will allow Fiori team or Basis to run this tcode.

I'm curious to know how do other organizations handle this Rapid Activation process? and move it across the environments? 

Would appreciate some suggestions. Thanks

Show replies
Show replies
Answer
View Entire Topic
AlexNecula
Active Contributor
‎02-01-2024 5:32 AM
0 Kudos
There is no way our Security team will allow Fiori team or Basis to run this tcode.

They should allow. No one is forced to use those roles. Just run it and let the security team create specific roles based on their internal procedures.

Show replies
Show replies
RaminS
Participant
‎02-01-2024 1:09 PM
0 Kudos
So the Fiori Administrator runs the Rapid Activation? or Fiori Development team? or Basis?
AlexNecula
Active Contributor
‎02-01-2024 1:16 PM
0 Kudos
I would say Fiori Administrator. You should activate only the needed roles/app bundles, not all of them and basis might not have that info. But it really depends on how it is decided internally. Any of them can do it as long as they have the info needed.
RaminS
Participant
‎02-01-2024 2:41 PM
0 Kudos

The problem is that the Rapid Activation tcode gives you the ability to "assign generated business roles to users", by just clicking a checkbox.

In a production stream, the Security Team does not want anyone to be able to assign roles to users, especially these SAP roles that are wide open. It's not proper practice, and it can easily lead to security issues getting out of hand.

 

 

AlexNecula
Active Contributor
‎02-01-2024 3:07 PM
0 Kudos

SAP states that the roles generated through the rapid activation are for testing purposes only. You do that step only to assign the roles in order to check that the apps are working properly, but it is not mandatory if I'm not mistaken. Tell the security team to do it themselves if they don't trust you guys to not have a checkbox selected...

Also, this should be done in the DEV system so it's not like users could ruin everything if you guys checked the box by mistake and also selected the users by mistake...

AlexNecula
Active Contributor
‎02-01-2024 3:14 PM
0 Kudos
Also, it is possible that this assignment of roles is checked for some authorizations but I'm not sure if it's true and which authorizations. You can investigate it and if you find something then let them know you couldn't do it even if you would be ill intended (if your authorizations don't allow it of course).
Ask a Question