You also have to be careful with S_TCODE since creating a role based upon SAP_ALL will mean that auth object is an * and there are a number of tcodes where there is no associated auth object which means that you'll be able to execute it even it if its not a display tcode.

SAP_ALL_DISPLAY

SAP_BC_DWB_WBDISPLAY

SAP_CA_CL_DISPLAY

SAP_CA_DMS_DISPLAY

SAP_CO_OM_JOB_INTORDER_DISPLAY

SAP_CO_OM_OBJECT_DISPLAY

SAP_CO_PA_BASICDATA_DISPLAY

SAP_CO_PC_ACT_MATERIAL_DISPLAY

SAP_CO_PEREND_DISPLAY

SAP_CS_AG_CUST_ORDER_DISPLAY

SAP_CS_AG_WARRANTIES_DISPLAY

SAP_CS_SE_DISPLAY_NOTIF_ORDERS

SAP_EC_PCA_MODEL_TP_DISPLAY

SAP_EC_PCA_OBJECT_DISPLAY

SAP_FI_AP_DISPLAY_BALANCES

SAP_FI_AP_DISPLAY_CHECKS

SAP_FI_AP_DISPLAY_DOCUMENTS

SAP_FI_AP_DISPLAY_MASTER_DATA

SAP_FI_AP_DISPLAY_PARKED_DOCUM

SAP_FI_AR_DISPLAY_CREDIT_INFO

SAP_FI_AR_DISPLAY_CUST_INFO

SAP_FI_AR_DISPLAY_DOCUMENTS

SAP_FI_AR_DISPLAY_MASTER_DATA

SAP_FI_AR_DISPLAY_PARKED_DOCUM

SAP_FI_BL_CHECK_MGMENT_DISPLAY

SAP_FI_FM_BU_DISPLAY

SAP_FI_FM_MD_DISPLAY

SAP_FI_GL_DISPLAY_ACCT_BALANCE

SAP_FI_GL_DISPLAY_DOCUMENTS

SAP_FI_GL_DISPLAY_MASTER_DATA

SAP_FI_GL_DISPLAY_PARKED_DOCUM

SAP_FI_SL_DISPLAY_DOCUMENTS

SAP_FI_SL_DISPLAY_PLAN

SAP_ISR_LE_BASIC_DATA_DISPLAY

SAP_ISR_MATERIAL_DISPLAY

SAP_ISR_MERCH_CAT_DISPLAY

SAP_ISR_SITE_DISPLAY

SAP_LE_BASIC_DATA_DISPLAY

SAP_LE_INB_DELIVERY_DISPLAY

SAP_LE_OUTB_DELIVERY_DISPLAY

SAP_LE_TMS_DISPLAY

SAP_LO_BM_BATCH_DATA_DISPLAY

SAP_LO_MD_BOM_DISPLAY

SAP_LO_MD_CUSTOMER_DISPLAY

SAP_LO_MD_MM_MATERIAL_DISPLAY

SAP_LO_MD_SERIAL_NO_DISPLAY

SAP_LO_MD_VENDOR_DISPLAY

SAP_LO_PP_RTG_DISPLAY

SAP_LO_PP_WRKC_DISPLAY

SAP_LO_SD_BILLING_DISPLAY

SAP_LO_SD_INFORMATION_DISPLAY

SAP_LO_SD_PRICING_DISPLAY

SAP_LO_SD_SALES_DISPLAY

SAP_MM_IM_DISPLAY

SAP_MM_PUR_DISPLAY_OBJECTS

SAP_PM_EQM_EQUIPMENT_DISPLAY

SAP_PM_EQM_FUNC_LOC_DISPLAY

SAP_PM_EQM_MEAS_POINTS_DISPLAY

SAP_PM_PRM_MAIN_PLANS_DISPLAY

SAP_PM_PRM_TASKS_LISTS_DISPLAY

SAP_PM_WOC_MEAS_DOC_DISPLAY

SAP_PM_WOC_ORDER_DISPLAY

SAP_PP_BD_RTG_DISPLAY

SAP_PP_BD_WKC_DISPLAY

SAP_PS_DATES_DISPLAY

SAP_PS_DOCUMENTS_DISPLAY

SAP_QM_IM_COSTS_DISPLAY

SAP_QM_PT_CHANGE_MANAG_DISPLAY

SAP_QM_PT_LOG_MASTER_DISPLAY

SAP_QM_PT_MAT_MANAG_DISPLAY

SAP_QM_QN_NOTIF_DISPLAY

Well there was the need to create such a thing once. Therefore, I got one - if you want it, I can send it.

Basic question is WHY. No functional or business consultant has aver been able to convince us of the need for such wide access.

General finding is that they do not know what they really need in SAP so let them go back to the drawing board and rethink the access needed from a functional point of view.

But there are some people who do not know what they don't know yet in SAP. SAP systems also consist of more than just a production client in a production system...

Examples for the need for such a role:

Some companies might have a philosophy about support that they should be able to display (and understand) the entire application and all functional areas, and not just their own little piece of the pie which they can edit. Such a role could find a need in a development system.

Some companies also get audited (all functional areas, basis, authorizations, interfaces etc etc) and you might want the auditor to be able to display (and report on) the entire application and not just one client in it. Such a role could even be a legal requirement.

Some companies also have a change control policy which does not give developers and authorizations administrators access to the production systems (in most companies their work is done in development systems). However for emergency access or serious surprise type of troubleshooting, you might want to give them display access to analyze or debug a problem in production without having to hand out SAP_ALL to them. If it wasn't a surprise, then you would know which functional role to give them.. but you dont.

Cheers,

Julius

Julius,

Just to make your idea clear about SAP_ALL_DISPLAY (and thanks for making mine about the need of display access) -

When you say, "you might want the auditor to be able to display (and report on) the entire application and not just one client in it", let me clarify that SAP authorization management works for that particular client only. So, If I 'am providing full display access to someone, it is at client level. If there are multiple clients within the system (all clients make an application as per your concept I believe) then he would not be able to view same information in other clients. So, SAP_ALL_DISPLAY does not serve the purpose of display access for whole "Application".

Of course, I agree with you that we do need full display access in the system.

Hi Amol,

Yes, if the role (and some other config, SP and release stuff) truly is a DISPLAY_CLIENT_ONLY role, then the auditor would probably be limited to their sy-mandt client DATA only, plus the client independent DATA, and any report / tcode which delivers client independent or even client specific information (there are a few).

What I meant by "entire application" for such an audit was perhaps more "entire environment". Or rather better would be "entire system". An alternate would be "entire application<b>s</b>", as it would depend on what the application actually does and where it is coming from.

You are refering to the fact that a user with strong authorizations can have an impact beyond their client (logical system) irrespective of the current client they have authorizations from (eg. the way some applications use S_TABU_CLI, S_TABU_DIS, S_DEVELOP, S_TRANSPRT, S_RZL_ADM, S_ADMI_FCD...). The user can also impact other client DATA (eg. SE30, SE37, SUB%...).

So an auditor might want (highly unlikely though...) to have an account in all current accessible logical systems (clients) which can impact the one which they are auditing, or even better => a DISPLAY_ENVIRONMENT_ALL role which gives them access to display the real access of the users in the entire application / environment / system from a logical system (client) independent perspective, also without there necessarily being a reference (still) to that logical system. That would be a nice auditing tool!

Some auditors have their own dark ways of getting some of this sort of information, but perhaps SAP might want to consider adding such a feature to the audit information system (both as role and tool)?

Cheers,

Julius