APO Security issue

Question: Hi Guys,

I am trying to implement APO security. (APO v. 3.1)

In R/3 the method we used to design roles was:
1. Listed down the organizational entities we would want to control
eg: company code, Business Area, profit centers, purchase org., plants etc
2. Build up roles restricting the values for these entities
3. Assign these roles to the users.

But in APO, we have only one organizational entity - Plan Version and we want to control many other values too. If we are to restrict the transaction access by location, planning book, resource etc for eg. a tcode say /sapapo/sdp94. The authorization objects that are validated against do not have a default status of check/maintain in SU24. I would have to manually change the status to check/maintain - Also then i would have to give default values for the fields of those objects. This would mean i am deviating from SAP standard way of doing things...


My question is : If i want to restrict access in demand planning module by say resource, planning book and location - Is the above said way the right way to carry on?

How is Security usually done in APO?

Regards,
VS

Answer:
There is no standard in Su24. It is a configuration table and is up to the customer to make it work the way they need it, NOT rely on SAP as they have access granted to object no end user should have. In the Add-on modules like APO the SU24 entries are abisimal at best and require your intervention.
note that moving the entry from 'C' to 'CM' means nothing as far as control goes. It is the move from 'N' to 'CM' that cause SAP to start failing the check if the user is not authorized.

Answer:
Thanks John, Your opinion is appreciated - It is good for me to start with. I was under the impression that changes done in SU24 meant deviation from the standard way of doing things..

Any idea what needs to be done during an upgrade - Would changes be overwritten by SAP Standard then.


VS.

Answer:
SU25 is your upgrade transaction for SU24, but before the upgrade use su25 to create a transport of SU24 and export it. then if you use SU25 incorrectly then you can recover by imporitng the file back into the system