cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Give full authorization but wants display only in SAP

former_member183044
Active Participant

on ‎12-02-2015 6:42 AM

0 Kudos

Hi all,

Today one new user came up with one abap dump "MESSAGE_TYPE_X" error in SAP.

When i consulted with our ABAP consultant, he told me that since the user was a new user, give all authorizations of one module to the new user and after that accordingly we can change later the authorizations.

For that i had assigned, say "ACCOUNTING" module, to that user. For that i want to provide only display access. Is there any profile for that beacuse there are almost more than 500 authorization objects are there, it will be a tedious task.....

When i searched in scn, i found out that "SAP_ALL_DISPLAY" profile is there. But it was only for 4.6. For ECC 6.0 any other way there ???

Kindly give your valuable opinions on this....

Regards

Praveen

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

former_member183044
Active Participant
‎12-02-2015 9:59 AM
0 Kudos

Gaurav & Steve,

In that blog, i read one comment. For each module we can create full access (with display only) , right? Then that should be much easier right ??

Regards

Praveen

Show replies
Show replies
Former Member
‎12-02-2015 11:23 AM
0 Kudos

If you are going to try to create a "display all" role for each module, how is that less work than creating a single "display all" role for all modules? You have the same number of transactions to test either way.

There was indeed one comment that said that, but did you also read the many more comments that said not to try?

If this is a role for use in production, then you should add just what's necessary. "All" certainly isn't necessary in production in day-to-day operations. For emergencies, maybe, but there are other ways to deal with that.

Steve.

former_member183044
Active Participant
‎12-02-2015 12:07 PM
0 Kudos

Steve,

Which are the other ways to deal with ?

Regards

Praveen

Former Member
‎12-02-2015 2:22 PM
0 Kudos

Ways to deal with emergency access? SAP have software solutions for that in the GRC product suite (commonly called "Firefighter", "Superuser Privilege Management (SUPM)" or "Emergency Access Management (EAM)", depending on the version - they are all essentially the same product). They provide proper control, authorisation, notification and an audit trail. If you are serious about access control you really should look into something like this. SAP's products are not the only ones.

There are of course, more manual systems that work the way you'd expect, somehow (on paper or electronically) authorising temporary assignment of more powerful roles with proper oversight and monitoring. You'd still want those roles to be manually built roles with well understood and tested behaviour, though.

We have SAP's GRC products but just occasionally (less often than once a year, on average) we have a need for access that is just too difficult to provide a role for, and we do have a manual process for use of SAP_ALL in production. This requires all sorts of senior sign-off, monitoring, and is only for really, really, short periods of time.

All of our processes were designed in conjunction with our internal auditors and approved by external auditors. I strongly recommend you take advice about this level of access before going ahead and just building something you think should be OK.

Steve.

former_member183044
Active Participant
‎12-03-2015 4:48 AM
0 Kudos

Thanks Steve.

former_member183044
Active Participant
‎12-02-2015 8:20 AM
0 Kudos

Hi Everyone,

I checked the GUI version. The same ABAP DUMP is coming in SAP GUI 7.4 also. Any other option ?

Besides that, can i ask you one question ? Is there any way in ECC6.0 that whether we can provide SAP_ALL ( all access) , only display mode ??

Regards

Praveen

Show replies
Show replies
former_member182657
Active Contributor
‎12-02-2015 9:11 AM
0 Kudos

Hi Praveen,

Hope the below SCN doc will help you.

Creating an SAP_ALL Display Only Role | SCN

Regards,

Former Member
‎12-02-2015 9:15 AM
0 Kudos

And do please read all of the comments on that blog post. A display-only SAP_ALL is not something you should ever contemplate in production, because it can't be done.

Steve.

former_member182657
Active Contributor
‎12-02-2015 6:56 AM
0 Kudos

Hi,

Share the ST22 dump details.

Regards,

Show replies
Show replies
former_member183044
Active Participant
‎12-02-2015 7:00 AM
0 Kudos

Hi Gaurav,

Provided in previous reply. Kindly check

Regards

Praveen

former_member182657
Active Contributor
‎12-02-2015 7:05 AM
0 Kudos

Hi Praveen,

Please follow SAP KBA  1603032 - Dump with MESSAGE_TYPE_X in SAPLOLEA and AC_SYSTEM_FLUSH and LOLEAU02

Regards,

former_member182034
Active Contributor
‎12-02-2015 7:09 AM
0 Kudos

Dear Praveen,

I don't think, this dump MESSAGE_TYPE_X  raised due to any authorization issue and , you can check missing authorization in SU53.

Regards,

srinivasan_vinayagam
Active Contributor
‎12-02-2015 7:22 AM
0 Kudos

Hi Praveen,

Please check with other system or latest SAP GUI version.

Regards,

V Srinivasan

srinivasan_vinayagam
Active Contributor
‎12-02-2015 6:49 AM
0 Kudos

Hi Praveen,

Kindly share the ST22 screenshot.

SAP_ALL_DISPLAY is not available any system, we have to create.

Regards,

V Srinivasan

Show replies
Show replies
former_member183044
Active Participant
‎12-02-2015 6:59 AM
0 Kudos

Hi Srinivas,

Attaching the screenshots

Regards

Praveen

Ask a Question