Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Composite Profiles for SAP Consultants

Former Member

‎06-24-2011 5:44 AM

0 Kudos

Dear All,

We're in the process of controlling authorizations for our internal SAP Support Team. Earlier we had a very small team and we all used to wear many hats. so we had given SAP_ALL profile to all consultants.

Now, we want to restrict SAP_ALL profile and give default composite profiles to our consultants. the problem is that i'm unable to get the names of all the profiles on the net. Can anyone suggest where can i find default composite profiles for

1. MM

2. PP

3. QM

4.FICO

5. SD

6. ABAP

Any help in this regard would be really appreciated.

Thanks,

Kind Regards,

Tejasav Kalra

10 REPLIES 10

Former Member

‎06-24-2011 6:33 AM

0 Kudos

Hi,

You have to create seprate roles for each module and assigne to respective users.

There is no module specific profile in sap.

Regards,

Nisit

Former Member

‎06-24-2011 7:59 AM

0 Kudos

Hi,

Yes, as Nisit mentioned create seperate role wrt each of the function module and assign it to the end users.

This will minimizes the work load and maintainence would aslo be easy.

regards,

Vinod.

Former Member
In response to Former Member

‎06-24-2011 8:35 AM

0 Kudos

Dear Nisit/Vinod,

Thanks for taking time out for replying to my query.

I agree with both of you. but i have to give rights to SAP Consultants who are giving SAP Support.

the problem is they need all end user authorizations that are possible for their modules alongwith the SPRO--rights. and the T-Codes that begin with 'O-' which can be accessed by SPRO.

Is there any solution to this?

Regards,

Tejasav Kalra

Edited by: Tejasav.Kalra on Jun 24, 2011 11:17 AM

Former Member
In response to Former Member

‎06-24-2011 1:37 PM

0 Kudos

Is this for production or non-production access? Your approach will be different depending on which part of the landscape

Former Member

‎06-27-2011 2:42 PM

0 Kudos

Hi,

An alternative is to make them use FF / SPM. Yo ucan keep a relatively high level of access in there, and all actions are recorded.

Over time you can review usage for more redefine access if desired. Also gives you more time to develop a superuser role authorisation concept, which you should be doing to properly define all types of superuser access, per business area - which could still be put in FF / SPM for SAP support users.

Cheers

Steve

Edited by: Steve Bodell on Jun 27, 2011 3:42 PM

Former Member

‎07-02-2011 10:01 AM

0 Kudos

Sorry for replying late!

Dear Alex,

this is for production access. please let me know what you'd suggest.

Dear Steve,

Please tell me about ff/spm. we haven't come across this before.

Regards,

Tejasav Kalra

Former Member
In response to Former Member

‎07-02-2011 1:03 PM

0 Kudos

Hi,

You have 2 contradictory statements. You are referring to functional end user roles, and asking on how SPRO authorization should be given to them.

Please note the points below:

1. No functional end user will deal with configuration changes.

2. The support users will have to make majority of the configuration changes in the Development environment and transport them to the other systems in the landscape. (The other experts are referrring to FF/SPM - Called as Firefighter/Super User Privilege Manager to address any critical issues on Firefighting basis in a controlled environment. This is a part of GRC AC solutions).

3. SPRO and IMG Administration settings should not be given to any users.

Composite profiles are collective profiles and gives wider access. You should first identify the business process and identify the transaction codes that are required for individual LOB (Line of Business). Further, roles should be build with these transaction codes.

Hope this answers your questions.

Regards,

Raghu

Former Member
In response to Former Member

‎07-04-2011 7:49 AM

0 Kudos 
 this is for production access. please let me know what you'd suggest.

Hi,

In that case I suggest you follow Raghu's recommendation to build specific roles for the users based on the minimum they need to be able to perform their operational activities.

Former Member
In response to Former Member

‎07-05-2011 7:12 AM

0 Kudos

Perhaps it would be a solution to give the consultants the same roles like the end-users. After that you can give them additionally roles with the transactions, they need for their extended work.

For SPRO you can build projects in SPRO_ADMIN to differentiate between the different modules or nodes in SPRO.

Regards,

Julia

Former Member

‎07-05-2011 9:20 PM

0 Kudos

SAP delivers some roles for this as well.

For example, for ABAP & transport syst[SAP Note 1118396|https://service.sap.com/sap/support/notes/1118396] .

Cheers,

Julius