Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Display role for all transactions

Former Member
0 Kudos

Hi,

We want to create a role with all transactions, but display only. (Same as SAP_ALL with display access only)

I have read previously posted messages in this forum, but didn't find the solution.

The SAP_ALL_DISPLAY role was available prior to 4.7. But we want to create role on WAS 6.4 onwards.

Does anyone has solution for this?

Regards,

Prasad

Message was edited by:

Prasad Musale

18 REPLIES 18

Former Member
0 Kudos

Hi,

Well create a composite role with SAP_ALL role as a part of it.

This is the easy solution. Your new role should start with the letter Z_.

reward with points.

Former Member
0 Kudos

Hi Manoj,

Thanks for quick reply, but please read my question carefully.

I want to create a role with <b>display</b> authorization to all Tcodes.

Regards,

Prasad

0 Kudos

Check this - https://forums.sdn.sap.com/click.jspa?searchID=2040956&messageID=2856761

ALways search in the forums for what you are looking for.

Former Member
0 Kudos

Hi Prasad,

This is not a easy job i hope. Probably you mat try out this way:

1. Create a role with SAP_ALL profile.

2. Download this role to your PC, open it as text file.

3. Search for 'ACTVT * ' and Replace it with "ACTVT 03"

4. Upload the role and generate the role.

You can give a try, but iam sure if it is going to work out perfectly.

Hope it helps.

Please award points if it is useful.

Thanks & Regards,

Santosh

0 Kudos

This message was moderated.

Former Member
0 Kudos

Hi Amol,

Thanks for your suggestion, but I already worked out the solutions given in that thread and they are not working. I have already seen messages related with Display ALL role and I have mentioned that previously.

Please suggest any new solution.

Regards,

Prasad

Former Member
0 Kudos

Hi Santosh,

I have already tried that task, but while uploading the role after changes, it is giving error "Transferred codepage does not match the byte order mark".

I think it's storing the byte order somewhere, and we need to change that. I tried but didn't find the solution.

(But it's good, as SAP is protecting the manual changes to role outside SAP system)

Can you suggest any solution regarding this.

Thanks,

Prasad

0 Kudos

Hi Prasad,

May be you can just create a role with no transactions in it and then go to the authorizations screen, it will be empty first. Then goto EDIT ---> INSERT AUTHORIZATIONS ---> FROM PROFILE then in the pop up box give SAP_ALL. It should copy all the authorizations from the sap_all profile, then update the organizational levels and replace the activity * by 03. Then it should work.

It will take more time to change the activity, but this is the only way I guess.

Let me know if it works......

guillermo_m
Active Participant
0 Kudos

Hi Prasad! I think that it isn´t possible with changing the role manually in a TXT file to obtain a display only SAP_ALL role. And SAP doesn´t deliver it.

The only possible way is to create a role with SAP_ALL profile and change the activities manually in the PFCG.

However, in Solution Manager, there is a role delivered by SAP, that has display authorizations for all transactions.

Regards!

Former Member
0 Kudos

Hi People,

I have a question. if the SAP_ALL Display role is created and added to users who have other activities for the same authorization objects then they may get execute for TCODES they had display only.

For instance MIGO dispay role is created , but a person who does Plant maintainnence Recieving and physical inventory also has the authorization objects in the object class MM_B ,with change authorization .

Due to this MIGO no longer remails display only . But gives user execute access which is undesirable.

Any thoughts on how this problem is overcome in your organizations

0 Kudos

Hi Rajeswari,

Users in production should not have access to roles with S_TCODE values that are * or large ranges for exactly this reason.

The risk can be mitigated partially when they only have display access (remembering to tie down all the back doors etc), however due to the authorisation concept and the shared use of objects, you run the risk of giving access to transactions that are not suitable.

I fail to see a valid situation where users that need to process transactions in production should have access to execute every transaction, even if in display mode.

If you need end users to access all display transactions then a search in tstct on isplay in the transaction title will give you a reasonable list. There are a few notable transactions missing from there, but it's not a huge piece of work to ID the missing ones that you are likely to use.

Regards

Alex.

Former Member
0 Kudos

HI Cuervo,

Can you just specify the role name, which gives display access to all transactions?

Thanks,

Prasad

Former Member
0 Kudos

Hi Alex,

>>I fail to see a valid situation where users that need to process transactions in production >>should have access to execute every transaction, even if in display mode.

We have the development system. We are separating the responsibility based on business functions such as FI, MM etc. it may possible that FI consultant may require a display access to transaction from MM. In this case MM consultant will have MM roles only, but will have the display all role. So that he can perform his functions smoothly.

The solution you gave is working, but it does not serve the purpose.

Any other solution?

Thanks,

Prasad

0 Kudos

> Hi Alex,

>

> >>I fail to see a valid situation where users that

> need to process transactions in production >>should

> have access to execute every transaction, even if in

> display mode.

>

> We have the development system. We are separating the

> responsibility based on business functions such as

> FI, MM etc. it may possible that FI consultant may

> require a display access to transaction from MM. In

> this case MM consultant will have MM roles only, but

> will have the display all role. So that he can

> perform his functions smoothly.

>

>

> The solution you gave is working, but it does not

> serve the purpose.

> Any other solution?

>

>

> Thanks,

> Prasad

Hi Prasad,

My response was to Rajeswari's question rather than your situation which I appreciate is different to the one he was talking about.

Creating a display role based on SAP_ALL with all activities set to display mode takes around 2 hours, it sounds like it would be worth your while creating it from scratch, though I appreciate that it is a tedious task!

By using a display role in this manner you will still have the potential for access to functions that are controlled by shared objects, however the risk is reduced unless you give them access to debug & replace.

Former Member
0 Kudos

Hello,

Copy all the individual roles into a zrole. For this create a z role in PFCG. Go to authorization tab in edit mode. Go to edit tab--->Insert Authorizations---->From Profile. In the profile name tab enter SAP_ALL. This will copy all the authorization objects of SAP_ALL into this new Zrole. Go to utility tab and set technical names on.

ckick CtrlF. In the Field Name tab enter ACTVT. Change the ACTVT value to display. then click ctrlG. This will take u to the next field. Like this go on changing all the actvt fields.

Otherwise explore the possibility of a LSMW for the same.

The only way is to change all the ACTVT fields to display.

Regards

guillermo_m
Active Participant
0 Kudos

Hi again Prasad!

Create a Z role and don't add any transaction. Then, go to the authorizations y and click de the maintain button. The system will ask you if you want to export a template authorization, there, select the SAP_ALL profile. Then, maintain de activity fields and put them all in "display". By this way you will get a role with SAP_ALL DISPLAY only.

Regards and good luck!

If you can't do it, tell me and I'll explain it more carefully,

0 Kudos

Hi Manas & Cuervo ,

I already know how to create a Z role in SAP. I just want a logical way to convert SAP_ALL to sap_all display. The ways you have suggested are workable, but there are more than 1700 ACTVT fields in SAP_ALL. Changing those is tedious task. There should be some way to get task done.

Does anyone has any other optimized way to create sap_all display?

Thanks,

Prasad

0 Kudos

Hi Prasad,

I think there are various reasons why SAP is not providing a full display role anymore. Data protection & SOXA - just to name 2. I think a display role for everything in the system should not exist.

Apart from that SAP delivers various Display roles - so one option for you might be to copy those and group them into 1 customer role. This is still some work but maybe not as much as changing all values from SAP_ALL. In addition I don't think changing the activities in SAP_ALL (i.e. a copy of it) would really restrict to Display Only. There are various transactions out there which do not have an auth check against an object containing an activity. So your role will contain the risk of allowing change access to certain transactions. In addition some of the transactions within SAP can't be restricted to display only.

Kind regards

Petra