04-23-2007 9:11 PM
Hi,
I need to provide full read access to our SAP R/3 system to an auditor. Does R/3 provide any predefined role/set of roles to accomplish this task ?
Kind regards,
04-24-2007 12:33 PM
HI,
These are the sap standard auditor roles.
SAP_AUDITOR_A
SAP_AUDITOR_ADMIN
SAP_AUDITOR_ADMIN_A
SAP_AUDITOR_BA_A
SAP_AUDITOR_BA_CFM
SAP_AUDITOR_BA_CFM_A
SAP_AUDITOR_BA_CO
SAP_AUDITOR_BA_CO_A
SAP_AUDITOR_BA_EC_CS
SAP_AUDITOR_BA_EC_CS_A
SAP_AUDITOR_BA_EC_PCA
SAP_AUDITOR_BA_EC_PCA_A
SAP_AUDITOR_BA_EXPORT_DATA
SAP_AUDITOR_BA_FI_AA
SAP_AUDITOR_BA_FI_AA_A
SAP_AUDITOR_BA_FI_AP
SAP_AUDITOR_BA_FI_APMD
SAP_AUDITOR_BA_FI_APMD_A
SAP_AUDITOR_BA_FI_AR
SAP_AUDITOR_BA_FI_ARMD
SAP_AUDITOR_BA_FI_ARMD_A
SAP_AUDITOR_BA_FI_CJ
SAP_AUDITOR_BA_FI_CJ_A
SAP_AUDITOR_BA_FI_GL
SAP_AUDITOR_BA_FI_SL
SAP_AUDITOR_BA_FI_SL_A
SAP_AUDITOR_BA_HR
SAP_AUDITOR_BA_HR_A
SAP_AUDITOR_BA_MM
SAP_AUDITOR_BA_MM_IM
SAP_AUDITOR_BA_MM_IM_A
SAP_AUDITOR_BA_MM_IV
SAP_AUDITOR_BA_MM_IV_A
SAP_AUDITOR_BA_MM_PUR
SAP_AUDITOR_BA_MM_PUR_A
SAP_AUDITOR_BA_ORGA
SAP_AUDITOR_BA_RE
SAP_AUDITOR_BA_RE_A
SAP_AUDITOR_BA_SD
SAP_AUDITOR_BA_SD_A
SAP_AUDITOR_DS
SAP_AUDITOR_DS_A
SAP_AUDITOR_SA
SAP_AUDITOR_SA_BC
SAP_AUDITOR_SA_BC_CCM_USR
SAP_AUDITOR_SA_BC_CUS_TOL
SAP_AUDITOR_SA_CCM_USR
SAP_AUDITOR_SA_CUS_TOL
SAP_AUDITOR_TAX_A
SAP_AUDITOR_TAX_AA
SAP_AUDITOR_TAX_AA_A
SAP_AUDITOR_TAX_COPS
SAP_AUDITOR_TAX_COPS_A
SAP_AUDITOR_TAX_FI
SAP_AUDITOR_TAX_FI_A
SAP_AUDITOR_TAX_HR
SAP_AUDITOR_TAX_MM
SAP_AUDITOR_TAX_MM_A
SAP_AUDITOR_TAX_SD
SAP_AUDITOR_TAX_SD_A
SAP_AUDITOR_TAX_TR
SAP_AUDITOR_TAX_TR_A
04-23-2007 9:21 PM
Erik,
There is not a true sap_all display out of the box. Before 4.7 there was a role SAP_ALL_DISPLAY.
Do a search on display in this forum and you will see several threads on the topic. Describing some methods for making a display all role.
One such method is inserting all authorizations into a role using menu->Edit->insert auth-full auth. Then changing all of the activities to 03, 04 & 08 if applicable. Keep in mind there are risks involved with this approach.
Cheers,
Ben
04-23-2007 9:29 PM
Thanks for your quick reply.
What exactly are the risks of this approach ?
Kind regards
04-23-2007 9:36 PM
One of the risks is combining this display all role with other roles that have update access. Since the display all role has S_TCODE with a '*' value. This may allow a user to process an unwanted transaction using one of the update objects in the other assigned roles.
In addition there are few other objects that may need to be further restricted depending on your version.
Cheers,
Ben
04-23-2007 9:32 PM
Hi,
You can create a new role with SAP_All & SAP_NEW profiles.
Create a new role from PFCG and you have options inthe menu ( Insert authorizations from profile ) there input this profile and you would get all the auth objects into this role. Then change many things to in ACTVT to display (03,16 and 07 and 09 i) n many cases after checking all the authorization objects. It wd take time but this role is very handy and can be assigned to many non buisness users and developers in Prd environment
<removed forbidden pointbegging by Moderator>
Junaid
Message was edited by: Bernhard Hochreiter
04-24-2007 7:38 PM
Hi,
> You can create a new role with SAP_All & SAP_NEW
> profiles.
> Create a new role from PFCG and you have options
> inthe menu ( Insert authorizations from profile )
> there input this profile and you would get all the
> auth objects into this role. Then change many things
> to in ACTVT to display (03,16 and 07 and 09 i) n many
> cases after checking all the authorization objects.
> It wd take time but this role is very handy and can
> be assigned to many non buisness users and developers
> in Prd environment
>
> **Reward points if helpful
Actually, I would strongly advise NOT to do that. There are many dangers with this approach. Lots of transactions are dangerous even with ACTVT 03 (example: data protection issues), others do not even check for ACTVT. This approach will open up your system for fraud on many levels.
Let me repeat again: NOBODY NEEDS ACCESS TO ALL TRANSACTIONS, ever!
The auditors will write you up big time if you do that.
Start with the default auditor roles and fine-tune them to your needs. #
Sorry to be so blunt...
Frank.
04-23-2007 11:39 PM
Short answer: DON'T DO THAT!
The auditor will NOT need access to ALL transactions, aver.
You'll want to look at the pre-defined menu roles that start with SAP_AUDITOR* (and the associated authorization roles SAP_AUDITOR_CA*), they should do the trick. They have been developed with auditors in mind.
They're not perfect, but they should go a long way, and auditors are used to getting them.
Hope that helps,
Frank.
04-24-2007 12:33 PM
HI,
These are the sap standard auditor roles.
SAP_AUDITOR_A
SAP_AUDITOR_ADMIN
SAP_AUDITOR_ADMIN_A
SAP_AUDITOR_BA_A
SAP_AUDITOR_BA_CFM
SAP_AUDITOR_BA_CFM_A
SAP_AUDITOR_BA_CO
SAP_AUDITOR_BA_CO_A
SAP_AUDITOR_BA_EC_CS
SAP_AUDITOR_BA_EC_CS_A
SAP_AUDITOR_BA_EC_PCA
SAP_AUDITOR_BA_EC_PCA_A
SAP_AUDITOR_BA_EXPORT_DATA
SAP_AUDITOR_BA_FI_AA
SAP_AUDITOR_BA_FI_AA_A
SAP_AUDITOR_BA_FI_AP
SAP_AUDITOR_BA_FI_APMD
SAP_AUDITOR_BA_FI_APMD_A
SAP_AUDITOR_BA_FI_AR
SAP_AUDITOR_BA_FI_ARMD
SAP_AUDITOR_BA_FI_ARMD_A
SAP_AUDITOR_BA_FI_CJ
SAP_AUDITOR_BA_FI_CJ_A
SAP_AUDITOR_BA_FI_GL
SAP_AUDITOR_BA_FI_SL
SAP_AUDITOR_BA_FI_SL_A
SAP_AUDITOR_BA_HR
SAP_AUDITOR_BA_HR_A
SAP_AUDITOR_BA_MM
SAP_AUDITOR_BA_MM_IM
SAP_AUDITOR_BA_MM_IM_A
SAP_AUDITOR_BA_MM_IV
SAP_AUDITOR_BA_MM_IV_A
SAP_AUDITOR_BA_MM_PUR
SAP_AUDITOR_BA_MM_PUR_A
SAP_AUDITOR_BA_ORGA
SAP_AUDITOR_BA_RE
SAP_AUDITOR_BA_RE_A
SAP_AUDITOR_BA_SD
SAP_AUDITOR_BA_SD_A
SAP_AUDITOR_DS
SAP_AUDITOR_DS_A
SAP_AUDITOR_SA
SAP_AUDITOR_SA_BC
SAP_AUDITOR_SA_BC_CCM_USR
SAP_AUDITOR_SA_BC_CUS_TOL
SAP_AUDITOR_SA_CCM_USR
SAP_AUDITOR_SA_CUS_TOL
SAP_AUDITOR_TAX_A
SAP_AUDITOR_TAX_AA
SAP_AUDITOR_TAX_AA_A
SAP_AUDITOR_TAX_COPS
SAP_AUDITOR_TAX_COPS_A
SAP_AUDITOR_TAX_FI
SAP_AUDITOR_TAX_FI_A
SAP_AUDITOR_TAX_HR
SAP_AUDITOR_TAX_MM
SAP_AUDITOR_TAX_MM_A
SAP_AUDITOR_TAX_SD
SAP_AUDITOR_TAX_SD_A
SAP_AUDITOR_TAX_TR
SAP_AUDITOR_TAX_TR_A
05-27-2013 10:58 AM
You should not assign the "ADMIN-Roles" to the auditor themselves, as these give development access!
SAP_AUDITOR_ADMIN
SAP_AUDITOR_ADMIN_A
The Admin-Roles are used to "build" up the AIS.
SAP then recommends to "copy" the SAP-Roles to customer namespace and uses those. But do not incude the ADMMIN-Roles themselves in the composite role you will alter use for the auditor.
SAP-AUDITOR_ADMIN allows for (restricted) "programming", which is not a thing you should be allowed to in production systems.
04-26-2007 6:44 AM
sap_all_display roles exist in previous versions of sap. download form that version and upload in to u r version. Same problem i was solved with this method. I think it will be easy.
05-29-2013 12:38 PM