06-24-2011 5:44 AM
Dear All,
We're in the process of controlling authorizations for our internal SAP Support Team. Earlier we had a very small team and we all used to wear many hats. so we had given SAP_ALL profile to all consultants.
Now, we want to restrict SAP_ALL profile and give default composite profiles to our consultants. the problem is that i'm unable to get the names of all the profiles on the net. Can anyone suggest where can i find default composite profiles for
1. MM
2. PP
3. QM
4.FICO
5. SD
6. ABAP
Any help in this regard would be really appreciated.
Thanks,
Kind Regards,
Tejasav Kalra
06-24-2011 6:33 AM
Hi,
You have to create seprate roles for each module and assigne to respective users.
There is no module specific profile in sap.
Regards,
Nisit
06-24-2011 7:59 AM
Hi,
Yes, as Nisit mentioned create seperate role wrt each of the function module and assign it to the end users.
This will minimizes the work load and maintainence would aslo be easy.
regards,
Vinod.
06-24-2011 8:35 AM
Dear Nisit/Vinod,
Thanks for taking time out for replying to my query.
I agree with both of you. but i have to give rights to SAP Consultants who are giving SAP Support.
the problem is they need all end user authorizations that are possible for their modules alongwith the SPRO--rights. and the T-Codes that begin with 'O-' which can be accessed by SPRO.
Is there any solution to this?
Regards,
Tejasav Kalra
Edited by: Tejasav.Kalra on Jun 24, 2011 11:17 AM
06-24-2011 1:37 PM
Is this for production or non-production access? Your approach will be different depending on which part of the landscape
06-27-2011 2:42 PM
Hi,
An alternative is to make them use FF / SPM. Yo ucan keep a relatively high level of access in there, and all actions are recorded.
Over time you can review usage for more redefine access if desired. Also gives you more time to develop a superuser role authorisation concept, which you should be doing to properly define all types of superuser access, per business area - which could still be put in FF / SPM for SAP support users.
Cheers
Steve
Edited by: Steve Bodell on Jun 27, 2011 3:42 PM
07-02-2011 10:01 AM
Sorry for replying late!
Dear Alex,
this is for production access. please let me know what you'd suggest.
Dear Steve,
Please tell me about ff/spm. we haven't come across this before.
Regards,
Tejasav Kalra
07-02-2011 1:03 PM
Hi,
You have 2 contradictory statements. You are referring to functional end user roles, and asking on how SPRO authorization should be given to them.
Please note the points below:
1. No functional end user will deal with configuration changes.
2. The support users will have to make majority of the configuration changes in the Development environment and transport them to the other systems in the landscape. (The other experts are referrring to FF/SPM - Called as Firefighter/Super User Privilege Manager to address any critical issues on Firefighting basis in a controlled environment. This is a part of GRC AC solutions).
3. SPRO and IMG Administration settings should not be given to any users.
Composite profiles are collective profiles and gives wider access. You should first identify the business process and identify the transaction codes that are required for individual LOB (Line of Business). Further, roles should be build with these transaction codes.
Hope this answers your questions.
Regards,
Raghu
07-04-2011 7:49 AM
this is for production access. please let me know what you'd suggest.
Hi,
In that case I suggest you follow Raghu's recommendation to build specific roles for the users based on the minimum they need to be able to perform their operational activities.
07-05-2011 7:12 AM
Perhaps it would be a solution to give the consultants the same roles like the end-users. After that you can give them additionally roles with the transactions, they need for their extended work.
For SPRO you can build projects in SPRO_ADMIN to differentiate between the different modules or nodes in SPRO.
Regards,
Julia
07-05-2011 9:20 PM
SAP delivers some roles for this as well.
For example, for ABAP & transport syst[SAP Note 1118396|https://service.sap.com/sap/support/notes/1118396] .
Cheers,
Julius