I always enjoy and agree with your posts Alex, but unfounded dislike? when people ask for "spro display" and cannot take the time to articulate which areas of spro they need (in production), then it's the same as asking for s_tabu_dis / dicbercls = * and tcode = * and no security professional likes that. when using spro_admin to vacuum tcodes into roles, it ends up giving overacess and can fill roles with SoD, assuming those weird variant tcodes used in spro are even defined in a ruleset. I have found that config teams needing display access to anything in production are able to articulate what exactly they need when pressed, and as long as there is a process to temporary elevate privileges in true emergencies, then teams fall in line and we can keep the production data protected, and prevent IT staff from having super access in production.
↧