Solved: SAP_ALL profile ?

Former Member · ‎12-15-2008

hi there,

we have 4 users with a SAP_ALL and SAP_NEW Profile. (myself included)

now we had a audit where they forced us to NOT ALLOW using of manipulate data, which

means that it should NOT be allowed to use SE16N and changing data in debugging mode.

how can i achive this ? do i have to create a lot of roles for

Former Member · ‎12-15-2008

SAP_ALL and SAP_NEW should not be assigned to any user in the production system....Although now there is no point in reiterating the same.

However please ensure that proper authorizations are set up in the system via roles so as to avoid audit issues.

The present scenario that you quote revolve around two objects ie. S_DEVELOP objtyp DEBUG and authorization to object S_TABU_DIS actvt Change.

There are many more restrictions on authorizations to ensure secure production environment.

jurjen_heeck · ‎12-15-2008

> how can i achive this ? do i have to create a lot of roles for

Yep. It doesn't have to be "a lot", but you'll have to create roles for the activities you need for your work.

Former Member · ‎12-15-2008

thats the BIG problem !

i am using SAP_ALL for almost 8 years now ! no problem with that ! and i STILL want to use it, but we are not allowed (as of law).

i am responsible for the whole sap ! we are only 3 people for SAP here, and we do EVERYTHING !!! basis, FI/CO, HR, programming ! there is nothing we are not using

reg, Martin

Former Member · ‎12-15-2008

SAP_ALL and SAP_NEW should not be assigned to any user in the production system....Although now there is no point in reiterating the same.

However please ensure that proper authorizations are set up in the system via roles so as to avoid audit issues.

The present scenario that you quote revolve around two objects ie. S_DEVELOP objtyp DEBUG and authorization to object S_TABU_DIS actvt Change.

There are many more restrictions on authorizations to ensure secure production environment.

Former Member · ‎12-15-2008

as i said, we are using SAP_ALL for 8 years now. and there is NO(!) reason to change this expect the audit thing

well, is there a way to generate a role (or more roles) from SAP_ALL, and then change the roles ? that would be the easiest way for us.

reg, martin

jurjen_heeck · ‎12-15-2008

> well, is there a way to generate a role (or more roles) from SAP_ALL, and then change the roles ? that would be the easiest way for us.

Please use the forum search, this question has been asked several times before.

Former Member · ‎12-15-2008

i have used the search, even before my posting, but haven't found the right answer, sorry ;(

reg, martin

jurjen_heeck · ‎12-15-2008

The thread [How to remove SPRO from SAP_ALL profile|; will probabely get you going, even though the requirement isn't exactly the same.

Former Member · ‎12-16-2008

hi friends,

thanks for the links to other posts and so on, BUT: i stil haven't found anything for my specific question:

is it possible to generate ROLES out of SAP_ALL and SAP_NEW profile ?

reg, Martin

jurjen_heeck · ‎12-16-2008

Yes it is, and discussed before, but here goes:

Go to PFCG

Create an empty single role

Go directly to the authorizations tab

Go into the profile and

select template SAP_ALL

or

do not select a template and go to edit ->insert authorization -> from profile

If your SAP_ALL is recently regenerated there's no additional value in SAP_NEW.

Former Member · ‎12-16-2008

This is a way to get around SAP _ALL profile. But still its not recommeded.

Its only a matter of time your auditors pull you up - with a compare -all the ghosts are out !

Thanks