on 12-02-2015 6:42 AM
Hi all,
Today one new user came up with one abap dump "MESSAGE_TYPE_X" error in SAP.
When i consulted with our ABAP consultant, he told me that since the user was a new user, give all authorizations of one module to the new user and after that accordingly we can change later the authorizations.
For that i had assigned, say "ACCOUNTING" module, to that user. For that i want to provide only display access. Is there any profile for that beacuse there are almost more than 500 authorization objects are there, it will be a tedious task.....
When i searched in scn, i found out that "SAP_ALL_DISPLAY" profile is there. But it was only for 4.6. For ECC 6.0 any other way there ???
Kindly give your valuable opinions on this....
Regards
Praveen
Gaurav & Steve,
In that blog, i read one comment. For each module we can create full access (with display only) , right? Then that should be much easier right ??
Regards
Praveen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
If you are going to try to create a "display all" role for each module, how is that less work than creating a single "display all" role for all modules? You have the same number of transactions to test either way.
There was indeed one comment that said that, but did you also read the many more comments that said not to try?
If this is a role for use in production, then you should add just what's necessary. "All" certainly isn't necessary in production in day-to-day operations. For emergencies, maybe, but there are other ways to deal with that.
Steve.
Ways to deal with emergency access? SAP have software solutions for that in the GRC product suite (commonly called "Firefighter", "Superuser Privilege Management (SUPM)" or "Emergency Access Management (EAM)", depending on the version - they are all essentially the same product). They provide proper control, authorisation, notification and an audit trail. If you are serious about access control you really should look into something like this. SAP's products are not the only ones.
There are of course, more manual systems that work the way you'd expect, somehow (on paper or electronically) authorising temporary assignment of more powerful roles with proper oversight and monitoring. You'd still want those roles to be manually built roles with well understood and tested behaviour, though.
We have SAP's GRC products but just occasionally (less often than once a year, on average) we have a need for access that is just too difficult to provide a role for, and we do have a manual process for use of SAP_ALL in production. This requires all sorts of senior sign-off, monitoring, and is only for really, really, short periods of time.
All of our processes were designed in conjunction with our internal auditors and approved by external auditors. I strongly recommend you take advice about this level of access before going ahead and just building something you think should be OK.
Steve.
Hi Everyone,
I checked the GUI version. The same ABAP DUMP is coming in SAP GUI 7.4 also. Any other option ?
Besides that, can i ask you one question ? Is there any way in ECC6.0 that whether we can provide SAP_ALL ( all access) , only display mode ??
Regards
Praveen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Share the ST22 dump details.
Regards,
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Praveen,
Please follow SAP KBA 1603032 - Dump with MESSAGE_TYPE_X in SAPLOLEA and AC_SYSTEM_FLUSH and LOLEAU02
Regards,
Hi Praveen,
Kindly share the ST22 screenshot.
SAP_ALL_DISPLAY is not available any system, we have to create.
Regards,
V Srinivasan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
89 | |
10 | |
9 | |
9 | |
9 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.