Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

How to modified SAP_ALL

Former Member
0 Kudos

Hi

I have development environment and i would like to give Developer SAP_ALL without SU01( ability to create user) ability. Can anyone please let me know how could i do modify SAP_ALL and delete SU01 from it.

Thanks

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Hi Ravi,

It is not adviceable to give SAP_ALL to a developer. the better option is to create a "Z*" role and assign all the t-codes which they commonly use. in exceptional case, add administrative t-codes (based on the requirement).

and more over SAP_ALL is SAP standard profile, and it is not gud to change the standard one. always create a replica of the standard and modify the newly created one.

hope this info helps!

with regds,

raj

<i>pls, award suitable points</i>

15 REPLIES 15

Former Member
0 Kudos

Hi Ravi,

It is not adviceable to give SAP_ALL to a developer. the better option is to create a "Z*" role and assign all the t-codes which they commonly use. in exceptional case, add administrative t-codes (based on the requirement).

and more over SAP_ALL is SAP standard profile, and it is not gud to change the standard one. always create a replica of the standard and modify the newly created one.

hope this info helps!

with regds,

raj

<i>pls, award suitable points</i>

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

It's hard to restrict the power of someone who can modify existing coding or write new one - see <a href="https://service.sap.com/sap/support/notes/13202">SAP Note 13202</a>.

Regards, Wolfgang

former_member912992
Participant
0 Kudos

Hi,

DO NOT modify SAP_ALL. Please create a new role. At least you must remove SCC4, SU01, PFCG, STMS the role that is assigned to the developer and limit SE16, SM30 and SM31 only for specific tables that the developer needs. If you remove SCC4, but you gave free access to SM30, then he / she is able to edit table T000. It is exactly the same as SCC4 ;-).

Regards,

Agoes

Message was edited by:

Agoes Boedi Poerwanto

Former Member
0 Kudos

Hi,

SAP_ALL is a SAP standed profile we cannot modify this profile.

We have to create a roles in PFCG and assign to the developer.Those role not havingt SU01 transaction code.

i hope it will help you.

kiran kumar.v

Former Member
0 Kudos

Hi,

Create New Role with transactions from SAP menu .

OR

If you have an existing role copy the role then search for the following objects

In the authorization tab (give with full authorization)

search for the following objects:

S_USER_AUT User Master Maintenance: Authorizations

S_USER_GRP User Master Maintenance: User Groups

S_USER_SYS User Master Maintenance: System for Central User Maintenance S_USER_PRO User Master Maintenance: Authorization Profile

If you disable the above objects T-Code SU01 will not work.

I hope its clear. If you need more info let me know

Cheers

Soma

0 Kudos

Hi Soma,

I have requirement like I have to give SAP_ALL and SAP_NEW to my functional team but I want to restrict scc4,se06 and su01 tcode from using .Since we dont create any roles for our functional team is there any way that I can create a copy of origanal SAP_ALL and SAP_NEW to something like Z_SAP_ALL and Z_SAP_NEW and edit in the copy profile to restrict the tcode mentioned above.Please help.

Best Regards,

Sanju

0 Kudos

You can create a role via PFCG and use SAP_ALL as a template, then delete some objects.

Regards,

Jack

0 Kudos

Jack,

Just curious here: What made you think the original poster was still in search for an answer after 246 days?

Jurjen

koehntopp
Product and Topic Expert
Product and Topic Expert
0 Kudos

<sigh>

<SIGH>

How many times do we have to state that "take SAP_ALL and remove a few objects" IS JUST NOT GOING TO CUT IT?

First of all, for your special case: If you're a developer you can do just about everything.

Taking SAP_ALL and removing those objects will still leave you with THOUSANDS of ways to create users or otherwise do bad things.

Just don't, please. Take the time and build a proper role.

Thank you.

Frank.

0 Kudos

> <sigh>

>

> <SIGH>

And, Frank, did you notice the thread-start-date? SIGH

0 Kudos

At least it is evidence that the search is used...

0 Kudos

Well,

since I am facing somewhat same issue at current customer I did search the whole forum...and still no real concrete answer found anywhere...therefore I did create a new role, with import of Full authorisation on the authorisation tab page using Menu >>GotO>> Insert Authorisations>>Full Authorisation.

Next, I limited most critical objects I knew and found back in forum:

Cross Application AAAB S_RFC_ADM relevant for SM59 and remote Function Modules based on destination

Basis: Development BC_C S_DEVELOP Using this object, you can assign access authorizations for all the workbench components

Basis: Administration BC_A S_ADMI_FCD This authorization object checks access to several Basis functions, for example, spool administration and monitoring.

Basis: Development BC_C S_TRANSPRT Authorization object for the Transport Organizer

Basis: Administration BC_A S_RZL_ADM Authorization object for R/3 System administration using the Computing Center Management System

Basis: Administration BC_A S_CTS_ADMI Administration functions in the Change and Transport System

Basis: Administration BC_A S_USER_AGR The authorization object is used to protect the roles. Roles are used to combine users in groups and to assign them different attributes, in particular transactions and authorization profiles.

Basis: Administration BC_A S_USER_VAL "This authorization object allows you to restrict the values an administrator is allowed to add or change for a role in the Profile Generator.

The authorization object refers to all field values except the values of the object S_TCODE."

Basis: Administration BC_A S_USER_TCD Authorization objects control the transactions that system administrators can assign to a role, as well as the transactions for which they can assign transaction code authorization.

Basis: Administration BC_A S_USER_AUT "Authorization object, which is checked during authorization maintenance. (In Tcodes SU03 and SU02)

"

Basis: Administration BC_A S_USER_OBJ You use the authorization object to protect access to globally switching off authorization objects. The system checks the object if you choose Save or Activate in the transaction for switching off authorization objects (auth_switch_objects).

Basis: Administration BC_A S_USER_PRO User Master Maintenance: Authorization Profile

Basis: Administration BC_A S_USER_GRP User Master Maintenance: User Groups

Basis: Administration BC_A S_USER_SYS User Master Maintenance: System for Central User Maintenance (CUA)

Basis: Administration BC_A S_USER_SAS User Master Maintenance: System-Specific Assignments

Basis: Administration BC_A S_BTCH_ADM Background Processing: Background Administrator

Basis: Administration BC_A S_TABU_DIS Table Maintenance (via standard tools such as SM30)

Basis: Administration BC_A S_TABU_CLI Cross-Client Table Maintenance

Human Resources HR PLOG Personnel Planning

I deactivated or restricted these objects...and think this would be an acceptable solution.

Just also created a Customizing Display only role...which seem to work find..

cheers

Davy Pelssers

0 Kudos

Hi Davy

How is your CRM Authorization Book coming. Did you publish it or still in process.

AB.

koehntopp
Product and Topic Expert
Product and Topic Expert
0 Kudos

Not sure about anybody else, but I can already think of ways how that user can wreak havoc...

0 Kudos

Hi Frank,

I am tempted to post my "display only role" with specific object values for a large set of the important ones and those requiring disabled status (at least it would be a start and something for those who are not going to build proper roles anyway... even if there are some problems in it - most notably S_TCODE...), but...

>

> Not sure about anybody else, but I can already think of ways how that user can wreak havoc...

...I think someone wanting to cause havoc would go straight for customer coding and not be bothered much by missing authorizations in their role.

Cheers,

Julius