06-25-2009 12:58 PM
Hi All,
Can any one tell me how to assign display authorization for all modules like sd, ps, mm, fico ,hr ..
is there any profile available for that ???
any idea would be great.
Thank for ur help in advance.
Regards,
Venki
06-29-2009 3:50 PM
Hi Venkat,
You can do one thing to achieve.
Make a copy of SAP_ALL (SAP Standard Profile) and change the activity level to 03 (Display) only in all the authorisation object. We had successfully done this at our implementation site
Hope this will help.
Cheers
Lokendra
06-25-2009 1:03 PM
It is not possible to restrict a user to display in all modules (i.e. SAP_ALL but restricted to display).
You can create a role with full authorization and restrict authorizations afterwards to display. But you can't be sure, that every transaction checks authorizations in a right manner. There are some transactions (especially in customizing) without sufficient authorization checks. Therefore your role will grant access to this transaction and you can change data.
06-25-2009 1:12 PM
Hi,
No such profiles are available for it..
You can get the authorization object the modules from suim.
SUIM -- > Authorization objects --> choose any field -- > then execute. no need to put any field valued..
Regards,
Sandip
06-25-2009 1:19 PM
Hi Sandeep,
Can u explain in deatail u mean to say that we can restirct for one module ???
06-25-2009 2:12 PM
Hi,
You can create a Custom project and assign this to a role. The positive aspect of creating a Project is that you can add your own defined access to bottom point of each node for any module. Generate the project whenever you are changing the content and for authorization value concern, please find the list of activities permitted for each object from TACTZ. Then provide only Display activities for the same in the role.
Regards,
Dipanjan
06-26-2009 8:59 AM
Hi Dipanjan,
We can get Display authorization for all module, add "S_A.SHOW" in user profile. Am I correct?
Regards,
Ujjal Ghosh
06-29-2009 6:36 AM
No,
S_A.SHOW is for basis only and does not grant only display access (for instance S_RFC with full auth, S_TCODE with S* ,....)
b.rgds, Bernhard
06-26-2009 7:54 AM
Hi Venki,
this quesiton has been asked in this forum already several times. Kindly consider to use the search function. Thank you,
b.rgds,
Bernhard
06-29-2009 3:50 PM
Hi Venkat,
You can do one thing to achieve.
Make a copy of SAP_ALL (SAP Standard Profile) and change the activity level to 03 (Display) only in all the authorisation object. We had successfully done this at our implementation site
Hope this will help.
Cheers
Lokendra
12-07-2009 2:34 PM
Hello Lokendra,
Appreciate the hard work which you done for creating a copy of SAP_ALL with display access only. Will it be possible for you to share the details how to do it.
SAP_ALL has around 15 profiles (&_SAP_ALL_00 to 15) assigned to itself - each of these profiles have several objects assigned....
So which approach you have taken to achieve this. Are these profiles assigned to SAP_ALL are segregated based on functional area. Is there any specific Basis profile assigned to SAP_ALL.
Would highly appreciate your inputs.
And best would be if you can share the created copy of SAP_ALL with SDN users - hope moderators wouldn't mind this sharing.
Best Regards
Davinder
12-07-2009 5:34 PM
> And best would be if you can share the created copy of SAP_ALL with SDN users - hope moderators wouldn't mind this sharing.
Davinder,
I'm afraid you're chasing ghosts here, as have many before you and I'm afraid it will not stop here.
The reason a search didn't bring up an easy solution (see your other thread, ) is because there's no easy way to get to a display only role.
Some thoughts:
1- The amount of authorization objects varies from system to system, due to patch levels and installed add-ons so sharing a role built on a 'strange' system will have it's flaws and due to the amount of objects in SAP_ALL or a copy will make it very difficult to spot those.
2- There are somewhere between 150-200 different activity related fields in an ECC systems' authorization objects and for quite a few 03 is not display. Some do not have a display activity. See below as well.
3- There are a lot of objects that do not have any activity related field so putting them in a role and claiming it is read-only is downright dangerous.
To create proper display roles you will need to get requirements from the business, not only to build the roles but also to be able to test them. I've seen long lasting discussions whether printing is a display activity or not......
Jurjen
12-07-2009 9:03 PM
>I've seen long lasting discussions whether printing is a display activity or not......
It is display
No it's not
Yes it is.
Damn, confused again.
It's a good job Schrödinger didn't use SAP, there would be no display transactions (or something like that)