cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

what roles does sap_all have?

Go to solution
MPGraziano
Participant

on ‎02-03-2009 7:24 PM

0 Kudos

I am trying to put together a plan of auditing our current sap landscape security.

What I would like is a tool/trxn that would tell me what roles sap_all has, or privils, it has etc..

Please feedback

Maria

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

MPGraziano
Participant
‎02-04-2009 1:12 PM
0 Kudos

This is all very good information, and very valuable

but, I still don't think I have found out HOW to find all roles that sap_all has acess to?

Show replies
Show replies
Former Member
‎02-04-2009 11:41 PM
0 Kudos

Maria, go to SUIM. Then go to User Information System - Profiles - By Profile Name or Text. (execute)

In the selection screen enter SAP_ALL (Profile) and F8. Then double click in SAP_ALL (that's the only entry).

You will get all the single profiles contained in SAP_ALL (which is a composite profile) and the authorization objects for each profile).

Good luck,

former_member187565
Active Contributor
‎02-05-2009 2:18 PM
0 Kudos

Hi maria,

look..sap_all is a SAP delivered standard profile and not associated with any roles.That is the main point,Now for your doubt i just mentioned something here---There are three types of profile in SAP

*SAP profiles:-which are delivered by SAP.e.g.,SAP_ALL & SAP_NEW.These are not associated with any role.

*Manual profiles:-These are created manually.Here also the concept of role is not present.you can create this profile with the help of su02.

But now a days,this profile is no longer used.

*Generated profiles:-When we create a role, we get a workspace to maintain authorizations via PFCG. Once we maintain the values for the objects and ORG values(if any) we desire, we can generate the role which gives us a generated profile.

Again with the help of su01 you are able to assign SAP profiles & Manual Profiles to a user.But... But...You can't assign a generated profile directly from su01.even you are not able to maintain the generated profiles.

Hope you find your answer.

MPGraziano
Participant
‎02-05-2009 3:21 PM
0 Kudos

Yes Thank You, I am pretty clear on the sap_all and sap_new.

I just was digging (For my collegue) thinking there could have been a breakdown somewhere that would describe what ALL the sap_all role is capable of doing

I know there are some roles ie. for SOLMAN that are restricted and need to be specifically assigned (SAP_S_RECALC) etc..

Maria

former_member185954
Active Contributor
‎02-05-2009 3:57 PM
0 Kudos

Hello,

SAP_ALL is not a role, its an authorisation profile.

This profile has authorisation to do virtually everything in the system.

It is a SUPER PROFILE which allows a user to access all areas.

SAP_NEW is generally provided alongwith SAP_ALL.

The reason is during release upgrades or any kind of patch which delivers any new authorisation object.

SAP_NEW profile will have the authorisation object with full authorisation.

Regards,

Siddhesh

Former Member
‎02-06-2009 6:13 AM
0 Kudos

HI ,

I don think so you can see wat all roles are there under sap_all its a profile not a role .you can see wat all objects are there under it .....through suim....but not roles ....i don think so you can see roles for any profile .plz correct me if i am wrong....

MPGraziano
Participant
‎02-06-2009 1:03 PM
0 Kudos

You correct, sap_all is a profile

Thank YOu all

m.

former_member185954
Active Contributor
‎02-06-2009 1:45 PM
0 Kudos

The concept of roles came in the time of SAP R/3 4.0B before which there were only authorisation profiles.

Authorisation profiles contain authorisation object instances.

Authorisation objects contains - actual authorisation information which is checked in the code.

so it is like this....

User profile ->

-> Composite Roles

-> Single Role(s)

-> Authorisation Profile(s)

-> Authorisation Objects

I hope it makes things clear now.

Regards,

Siddhesh

Answers (3)

Answers (3)

Former Member
‎02-04-2009 6:50 AM
0 Kudos

hi Maria

This composite profile contains all SAP authorizations, meaning that a user with this profile can perform all tasks in the SAP system. You should therefore not assign this authorization profile to any of your users. We recommend that you create only one user with this profile. You should keep the password of this user secret (store it in a safe) and only use it in emergencies (see also Protective Measures for SAP*).

Instead of using the SAP_ALL profile, you should distribute the authorizations it contains to the appropriate positions. For example, instead of assigning your system administrator (or superuser) the authorization SAP_ALL, assign him or her only those that apply to system administration, namely the S_* authorizations. These authorizations give him or her enough rights to administer the entire SAP system, without allowing him or her to perform tasks in other areas such as Personnel Area.

Hope this helps

thx

shilpa

Show replies
Show replies
MPGraziano
Participant
‎02-04-2009 1:05 AM
0 Kudos

Thank You, but I have seen this transaction before but not sure on how to find the information I need with suim?

maria

Show replies
Show replies
manu_susankar
Active Contributor
‎02-04-2009 1:29 AM
0 Kudos

Hi Maria Graziano,

Check the below help it would guide :

http://help.sap.com/saphelp_erp2004/helpdata/EN/52/671261439b11d1896f0000e8322d00/frameset.htm

Regards,

S.Manu.

Former Member
‎02-04-2009 12:26 AM
0 Kudos

Try with transaction SUIM. There are many queries by profile (i.e. Profiles - By profile name or text) that can give you lots of information (single profiles, authorization objects, etc.)

Hope it helps you.

Show replies
Show replies
Ask a Question