View Source

This article outlines on how to handle a request for IS users with missing access (transaction or object level) for Production systems.

This is the document given by Solvay and should be referred to get any details related to the IS User management. Also has all the details related to what roles are to be given and who are the approvers.

IMP Note : Refer to this document all the time.

IS User Document

Identifying the Tickets :

There is no specific template for this. The tickets are generally like the regular end user tickets where they may ask for additional access. As the users are already existing users, you can find them in IDM and sort them as IS User as per the roles or department.

Stellar Program > Missing access for Production systems > image2021-9-14_22-8-53.png

If it is modification request, the user already exists in SAP with the Business roles from the Document. So we can find if there are any back-end roles assigned other than the exceptions mentioned.

Approvals :

In case of any new transaction access or missing authorizations access, we will have to take approvals from the manager of the user post analysis.

Note : We cannot provide any role without the approvals as it is a production system and IS Users are not meant to have any change access in production system.

Providing the Access :

Transaction access:

If the request is for a additional transaction access which is not a part of the Business roles from the IS User Document, we need to analyse if the transaction is a display transaction or any change related transaction.
If it is a display related transaction, we need to update to Solvay for adding the transaction into the IS * STD ROLE.
You can check if the roles are part of any Exceptions as mentioned in the IS User Document and add them directly with proper approvals to the user in IDM.
If it is any change related transaction, we have to inform the IS User to access the change transaction through FFID. As IS Users cannot have access to any change transactions.

IS users have access to Firefighter Ids, through the IS * STD ROLE, this means that they can't have any access to business data in production systems (*) in update mode.

IS users, in production systems (*), have full access to display plus specific IS activities.

Authorization object access:

We can ask for SU53 and check on what is the missing access.
If it is any display access, we can ask Solvay to add them into the IS * STD ROLE.
You can check if the roles are part of any Exceptions as mentioned in the IS User Document and add them directly with proper approvals to the user in IDM.
If it is any change activity, we can ask them to access it through FFID, as any change access is restricted to the end users.

The only roles allowed are those indicated above in the exceptions list.

In addition to the mentioned Business roles in the sheet there are also few exceptions which are mentioned in the IS User Document.

The exception ones, also if present, need the specific approval of the indicated owner.

For the systems not included in the above roles list (in FF scope), the reference user could be ok.

Stellar Program > Missing access for Production systems > image2021-9-14_21-12-36.png

You can add the Priveleges from the Exceptions list or the business role if required in IDM and update the managers with the infromation.

Once done we can update the user accordingly in the ticket and resolve it.