01-03-2009 2:19 PM
Hi Professionals,
Please help me out as I'm not a BASIS consultant but PP.....
We've created Users profile and assigned them profiles that contain a particular bunch of Transaction codes module wise.
Now we want to to create and assign such a Authorization profile to Users which will contain all Display transaction codes either related to all modules OR that particular module only say PP, MM, FI, CO etc.....
For example
MM03- Display material master
CS03- Display material BOM
CR03- Display work center
ME53N- Display Purchase requisition etc.
Is there any standard profile for that that are already provided by SAP? If it's there, how do we know that are related to what module?
Suppose if we assign such profiles, what will be implications related to future and user discipline?
Thanks & Regards,
Abu Arbab
01-03-2009 3:13 PM
Hi Abu, don't worry about being a PP consultant, most of us here are not Basis either, rather we focus on security.
There are no standard roles delivered by SAP which give this. There are standard SAP display roles but none will include all the display transactions for a module.
What you should do is get each functional team to list the dispay transactions which are used by the business processes which they have configured. There is no point in creating a display role with 500 transactions if the business processes only requires 30 transactions. Access is more usually required for business processes rather than module so you would often need to combine your modular display roles to cover a single process.
By building the roles to include the transactions you use rather than are available, you also avoid one of the mistakes often seen with using standard SAP roles - users having wider authorisations than they require to perform their job.
01-03-2009 3:13 PM
Hi Abu, don't worry about being a PP consultant, most of us here are not Basis either, rather we focus on security.
There are no standard roles delivered by SAP which give this. There are standard SAP display roles but none will include all the display transactions for a module.
What you should do is get each functional team to list the dispay transactions which are used by the business processes which they have configured. There is no point in creating a display role with 500 transactions if the business processes only requires 30 transactions. Access is more usually required for business processes rather than module so you would often need to combine your modular display roles to cover a single process.
By building the roles to include the transactions you use rather than are available, you also avoid one of the mistakes often seen with using standard SAP roles - users having wider authorisations than they require to perform their job.
01-06-2009 10:37 AM
Hi Alex,
Thanks for your comments. That's the right and secured that you enlightened.
Best Regards,
Abu Arbab