How to Grant Appropriate Permissions for LSMW

Jimbo's picture

LSMW is a very powerful tool and many SAP Security specialists are reluctant to grant LSMW permission--rightly so! LSMW access should never be granted without a legitimate business need and it should only be used by professionals trained in its use. This whitepaper does not address that issue, but instead is written for junior Security specialist who have never been faced with the need to grant LSMW access.

In a traditional test landscape there are three systems: Developement (D), Quality (Q) and Production (P). There are usually multiple clients in the D and Q systems and sometimes there are multiple clients within the P system. It is recommendable to allow development only in the Development system with the premise that freshly developed LSMW objects will be transported to Q for testing prior to any attempt to load data in the P system. Users in the Q and P systems should be limited to Display and Execute to prevent any attempts to develop software in either of those systems.


Server Role

Development

People being busy

Quality

People being busy

Production

People being busy

Recommended
Permissions

B_LSMW_ALL: All Authorizations
S_DEVELOP: Modify ABAB code
B_LSMW_SHOW: Display
B_LSMW_EXEC: Execute
B_LSMW_SHOW: Display
B_LSMW_EXEC: Execute

The likelihood that changes made in the Q system will be forgotten and subsequently overwritten by more recent changes in the D system make it inadvisable to grant Change permission in the Q system. It is much better to perform all development tasks in the D system and then transport the new LSMW object to the Q system for testing.

This whitepaper assumes that the SAP Security professional knows how to create User Accounts in SAP. The first step starts at the point where the User Account has been created. Launch transaction SU01, enter the User Account and click the Edit button.

Click on the "Profiles" tab and then click the button to display available profiles. The Profile Name box will appear.

Filter the profiles by entering *lsmw* in the Profile Name box. This will limit the list of Profiles to those that contain the phrase "LSMW". Double-click the desired profile and it will appear in the list of Profiles for the User. Repeat this step for each desired Profile. Afterward, click on the "Save" button to commit the Profiles to the User Account.

If the ability to edit the ABAP code in the LSMW object is required (and it usually is) then S_DEVELOP permissions will be required, too. The simplest tasks can be done with LSMW without ABAP, but the ability to meaningful pre-load validation reports makes the embedded ABAP invaluable.

Note: Ensure that the user knows that he must log out of SAP and then log in again. The permissions will not be available until the client logs in again.
http://onpasture.com/wp-content/uploads/2015/02/Goat-Escapes-from-Fence.png|https://i.ytimg.com/vi/kmtj2n06ZQw/maxresdefault.jpg|https://s-media-cache-ak0.pinimg.com/236x/0d/fa/b6/0dfab63dd98c7f91b85d2d9459c826e8.jpg|http://www.backyardherds.com/forum/uploads/6948_sam_0953.jpg