07-10-2009 5:34 AM
Hi all,
I created SAP accounts with SAP_ALL profile. Now, I want to revoke some privilege of these accounts. Can you guide me T-codes need to revoke? And how to revoke it?
Thanks
duypm
07-10-2009 12:23 PM
> I created SAP accounts with SAP_ALL profile.
So, you've got quite some superusers
> Now, I want to revoke some privilege of these accounts.
Take away SAP_ALL and give them relevant roles instead. You will have to design and build those roles first.
> Can you guide me T-codes need to revoke?
Tcodes are entry-points only. Dissalowing or blocking tcodes has nothing to do with security
> And how to revoke it?
You don't revoke in SAP. You allow the activities users need for their work. Build roles. Editing SAP_ALL is a big nono as it may be regenerated with a single mouseclick.......
> Thanks
You're welcome (to use the forum search as this subject has been discussed several times before.)
07-10-2009 5:40 AM
Hi
Check this [Link|http://sap.ittoolbox.com/groups/technical-functional/sap-basis/locking-standard-transaction-1095512?cv=expanded]
Regards
Uday
07-10-2009 11:14 AM
Hi,
SAP_ALL profile will be given for only administrators and not for all users.
For other users we have to create roles (with the transaction codes the use) using Transaction PFCG and assign to users.
Check this out [http://help.sap.com/saphelp_banking463/helpdata/en/52/6714b6439b11d1896f0000e8322d00/content.htm]
Regards,
Kalyan
07-10-2009 12:48 PM
>
> SAP_ALL profile will be given for only administrators and not for all users.
Administrators do not need SAP_ALL
07-10-2009 12:55 PM
> Administrators do not need SAP_ALL
Oh, man, now you've ruined it for all of us! What if my boss read s this?
07-10-2009 1:08 PM
>
> > Administrators do not need SAP_ALL
> Oh, man, now you've ruined it for all of us! What if my boss read s this?
lol
07-10-2009 12:23 PM
> I created SAP accounts with SAP_ALL profile.
So, you've got quite some superusers
> Now, I want to revoke some privilege of these accounts.
Take away SAP_ALL and give them relevant roles instead. You will have to design and build those roles first.
> Can you guide me T-codes need to revoke?
Tcodes are entry-points only. Dissalowing or blocking tcodes has nothing to do with security
> And how to revoke it?
You don't revoke in SAP. You allow the activities users need for their work. Build roles. Editing SAP_ALL is a big nono as it may be regenerated with a single mouseclick.......
> Thanks
You're welcome (to use the forum search as this subject has been discussed several times before.)
07-11-2009 6:43 AM
Hi,
There will be some predfined SAP roles available in SAP. You can create new set of roles by copying them. The predefined roles will start with the name SAP.
Don't try to change those profiles but u can copy them and modifiy user defined roles. Usually user dfined roles will have the convention Z* or Y*.
Else get a list of tcodes needed from the users (functional consultant) and create new roles according to your requirement using the code PFCG. Unwanted access may even bring down the system so remove the access available to the users ASAP.
Regards.
Varadhu...
07-11-2009 9:18 AM
Hi,
Never user SAP_ALL profile for users in the system. Try building roles to provide access. First try to copy and then customise the available SAP roles or check with Admin or func guys the transactions needed as design roles keeping SoD in mind. Check and let us know if any issue.
Regards
Aveek.
07-13-2009 10:26 AM
Hi,
Do not assign SAP_ALL, SAP_ NEW profiles to users. Create proper roles function wise and assign to users. SAP has provided template you can take help of them.
Regards,
Digambar
07-15-2009 4:44 AM
Hi all,
SAP_ALL and SAP_NEW profile aren't assigned to users.
So now, I need to assign to users belong to FI module. Which profiles, roles, T-codes must I assign to these users?
Thanks
Duypm
07-15-2009 4:50 AM
For FI Module,
Check with your BASIS & Security consultant, if there are FIALL and COALL roles created.
If not, check if there is something similar.
However, if your FM is a business guy he should not have FIALL/COALL.
Let me know,If it helps..
Regards
Vikas rana
07-15-2009 5:49 AM
Hi
you need to check with your FI team which t codes they require.. like for posting G/L a/c etc etc .
Always provide the t codes as per the requirement by the required teams, one should not provide SAP_All ..
Thx
Mysterious
08-19-2009 5:10 AM