Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

revoke privilege of SAP accounts

Go to solution
Former Member

‎07-10-2009 5:34 AM

0 Kudos

Hi all,

I created SAP accounts with SAP_ALL profile. Now, I want to revoke some privilege of these accounts. Can you guide me T-codes need to revoke? And how to revoke it?

Thanks

duypm

1 ACCEPTED SOLUTION

Go to solution
jurjen_heeck
Active Contributor

‎07-10-2009 12:23 PM

0 Kudos

> I created SAP accounts with SAP_ALL profile.

So, you've got quite some superusers

> Now, I want to revoke some privilege of these accounts.

Take away SAP_ALL and give them relevant roles instead. You will have to design and build those roles first.

> Can you guide me T-codes need to revoke?

Tcodes are entry-points only. Dissalowing or blocking tcodes has nothing to do with security

> And how to revoke it?

You don't revoke in SAP. You allow the activities users need for their work. Build roles. Editing SAP_ALL is a big nono as it may be regenerated with a single mouseclick.......

> Thanks

You're welcome (to use the forum search as this subject has been discussed several times before.)

13 REPLIES 13

Go to solution
Former Member

‎07-10-2009 5:40 AM

0 Kudos

Hi

Check this [Link|http://sap.ittoolbox.com/groups/technical-functional/sap-basis/locking-standard-transaction-1095512?cv=expanded]

Regards

Uday

Go to solution
former_member603052
Contributor

‎07-10-2009 11:14 AM

0 Kudos

Hi,

SAP_ALL profile will be given for only administrators and not for all users.

For other users we have to create roles (with the transaction codes the use) using Transaction PFCG and assign to users.

Check this out [http://help.sap.com/saphelp_banking463/helpdata/en/52/6714b6439b11d1896f0000e8322d00/content.htm]

Regards,

Kalyan

Go to solution
Former Member
In response to former_member603052

‎07-10-2009 12:48 PM

0 Kudos

> 

> SAP_ALL profile will be given for only administrators and not for all users.

Administrators do not need SAP_ALL

Go to solution
jurjen_heeck
Active Contributor
In response to former_member603052

‎07-10-2009 12:55 PM

0 Kudos

> Administrators do not need SAP_ALL

Oh, man, now you've ruined it for all of us! What if my boss read s this?

Go to solution
Former Member
In response to former_member603052

‎07-10-2009 1:08 PM

0 Kudos

> 

> > Administrators do not need SAP_ALL
> Oh, man, now you've ruined it for all of us! What if my boss read s this?

lol

Go to solution
jurjen_heeck
Active Contributor

‎07-10-2009 12:23 PM

0 Kudos

> I created SAP accounts with SAP_ALL profile.

So, you've got quite some superusers

> Now, I want to revoke some privilege of these accounts.

Take away SAP_ALL and give them relevant roles instead. You will have to design and build those roles first.

> Can you guide me T-codes need to revoke?

Tcodes are entry-points only. Dissalowing or blocking tcodes has nothing to do with security

> And how to revoke it?

You don't revoke in SAP. You allow the activities users need for their work. Build roles. Editing SAP_ALL is a big nono as it may be regenerated with a single mouseclick.......

> Thanks

You're welcome (to use the forum search as this subject has been discussed several times before.)

Go to solution
Former Member

‎07-11-2009 6:43 AM

0 Kudos

Hi,

There will be some predfined SAP roles available in SAP. You can create new set of roles by copying them. The predefined roles will start with the name SAP.

Don't try to change those profiles but u can copy them and modifiy user defined roles. Usually user dfined roles will have the convention Z* or Y*.

Else get a list of tcodes needed from the users (functional consultant) and create new roles according to your requirement using the code PFCG. Unwanted access may even bring down the system so remove the access available to the users ASAP.

Regards.

Varadhu...

Go to solution
former_member701183
Active Participant

‎07-11-2009 9:18 AM

0 Kudos

Hi,

Never user SAP_ALL profile for users in the system. Try building roles to provide access. First try to copy and then customise the available SAP roles or check with Admin or func guys the transactions needed as design roles keeping SoD in mind. Check and let us know if any issue.

Regards

Aveek.

Go to solution
Former Member

‎07-13-2009 10:26 AM

0 Kudos

Hi,

Do not assign SAP_ALL, SAP_ NEW profiles to users. Create proper roles function wise and assign to users. SAP has provided template you can take help of them.

Regards,

Digambar

Go to solution
Former Member

‎07-15-2009 4:44 AM

0 Kudos

Hi all,

SAP_ALL and SAP_NEW profile aren't assigned to users.

So now, I need to assign to users belong to FI module. Which profiles, roles, T-codes must I assign to these users?

Thanks

Duypm

Go to solution
Former Member
In response to Former Member

‎07-15-2009 4:50 AM

0 Kudos

For FI Module,

Check with your BASIS & Security consultant, if there are FIALL and COALL roles created.

If not, check if there is something similar.

However, if your FM is a business guy he should not have FIALL/COALL.

Let me know,If it helps..

Regards

Vikas rana

Go to solution
Former Member

‎07-15-2009 5:49 AM

0 Kudos

Hi

you need to check with your FI team which t codes they require.. like for posting G/L a/c etc etc .

Always provide the t codes as per the requirement by the required teams, one should not provide SAP_All ..

Thx

Mysterious

Go to solution
Former Member

‎08-19-2009 5:10 AM

0 Kudos

Hi all,

I understood the issue.

Thanks

Duypm