Solved: SAP R/3 : read only acces role

Former Member · ‎04-23-2007

Hi,

I need to provide full read access to our SAP R/3 system to an auditor. Does R/3 provide any predefined role/set of roles to accomplish this task ?

Kind regards,

v_veeramalla · ‎04-24-2007

HI,

These are the sap standard auditor roles.

SAP_AUDITOR_A

SAP_AUDITOR_ADMIN

SAP_AUDITOR_ADMIN_A

SAP_AUDITOR_BA_A

SAP_AUDITOR_BA_CFM

SAP_AUDITOR_BA_CFM_A

SAP_AUDITOR_BA_CO

SAP_AUDITOR_BA_CO_A

SAP_AUDITOR_BA_EC_CS

SAP_AUDITOR_BA_EC_CS_A

SAP_AUDITOR_BA_EC_PCA

SAP_AUDITOR_BA_EC_PCA_A

SAP_AUDITOR_BA_EXPORT_DATA

SAP_AUDITOR_BA_FI_AA

SAP_AUDITOR_BA_FI_AA_A

SAP_AUDITOR_BA_FI_AP

SAP_AUDITOR_BA_FI_APMD

SAP_AUDITOR_BA_FI_APMD_A

SAP_AUDITOR_BA_FI_AR

SAP_AUDITOR_BA_FI_ARMD

SAP_AUDITOR_BA_FI_ARMD_A

SAP_AUDITOR_BA_FI_CJ

SAP_AUDITOR_BA_FI_CJ_A

SAP_AUDITOR_BA_FI_GL

SAP_AUDITOR_BA_FI_SL

SAP_AUDITOR_BA_FI_SL_A

SAP_AUDITOR_BA_HR

SAP_AUDITOR_BA_HR_A

SAP_AUDITOR_BA_MM

SAP_AUDITOR_BA_MM_IM

SAP_AUDITOR_BA_MM_IM_A

SAP_AUDITOR_BA_MM_IV

SAP_AUDITOR_BA_MM_IV_A

SAP_AUDITOR_BA_MM_PUR

SAP_AUDITOR_BA_MM_PUR_A

SAP_AUDITOR_BA_ORGA

SAP_AUDITOR_BA_RE

SAP_AUDITOR_BA_RE_A

SAP_AUDITOR_BA_SD

SAP_AUDITOR_BA_SD_A

SAP_AUDITOR_DS

SAP_AUDITOR_DS_A

SAP_AUDITOR_SA

SAP_AUDITOR_SA_BC

SAP_AUDITOR_SA_BC_CCM_USR

SAP_AUDITOR_SA_BC_CUS_TOL

SAP_AUDITOR_SA_CCM_USR

SAP_AUDITOR_SA_CUS_TOL

SAP_AUDITOR_TAX_A

SAP_AUDITOR_TAX_AA

SAP_AUDITOR_TAX_AA_A

SAP_AUDITOR_TAX_COPS

SAP_AUDITOR_TAX_COPS_A

SAP_AUDITOR_TAX_FI

SAP_AUDITOR_TAX_FI_A

SAP_AUDITOR_TAX_HR

SAP_AUDITOR_TAX_MM

SAP_AUDITOR_TAX_MM_A

SAP_AUDITOR_TAX_SD

SAP_AUDITOR_TAX_SD_A

SAP_AUDITOR_TAX_TR

SAP_AUDITOR_TAX_TR_A

Former Member · ‎04-23-2007

Erik,

There is not a true sap_all display out of the box. Before 4.7 there was a role SAP_ALL_DISPLAY.

Do a search on display in this forum and you will see several threads on the topic. Describing some methods for making a display all role.

One such method is inserting all authorizations into a role using menu->Edit->insert auth-full auth. Then changing all of the activities to 03, 04 & 08 if applicable. Keep in mind there are risks involved with this approach.

Cheers,

Ben

Former Member · ‎04-23-2007

Thanks for your quick reply.

What exactly are the risks of this approach ?

Kind regards

Former Member · ‎04-23-2007

One of the risks is combining this display all role with other roles that have update access. Since the display all role has S_TCODE with a '*' value. This may allow a user to process an unwanted transaction using one of the update objects in the other assigned roles.

In addition there are few other objects that may need to be further restricted depending on your version.

Cheers,

Ben

Former Member · ‎04-23-2007

Hi,

You can create a new role with SAP_All & SAP_NEW profiles.

Create a new role from PFCG and you have options inthe menu ( Insert authorizations from profile ) there input this profile and you would get all the auth objects into this role. Then change many things to in ACTVT to display (03,16 and 07 and 09 i) n many cases after checking all the authorization objects. It wd take time but this role is very handy and can be assigned to many non buisness users and developers in Prd environment

<removed forbidden pointbegging by Moderator>

Junaid

Message was edited by: Bernhard Hochreiter

koehntopp · ‎04-24-2007

Hi,

> You can create a new role with SAP_All & SAP_NEW

> profiles.

> Create a new role from PFCG and you have options

> inthe menu ( Insert authorizations from profile )

> there input this profile and you would get all the

> auth objects into this role. Then change many things

> to in ACTVT to display (03,16 and 07 and 09 i) n many

> cases after checking all the authorization objects.

> It wd take time but this role is very handy and can

> be assigned to many non buisness users and developers

> in Prd environment

>

> **Reward points if helpful

Actually, I would strongly advise NOT to do that. There are many dangers with this approach. Lots of transactions are dangerous even with ACTVT 03 (example: data protection issues), others do not even check for ACTVT. This approach will open up your system for fraud on many levels.

Let me repeat again: NOBODY NEEDS ACCESS TO ALL TRANSACTIONS, ever!

The auditors will write you up big time if you do that.

Start with the default auditor roles and fine-tune them to your needs. #

Sorry to be so blunt...

Frank.

koehntopp · ‎04-23-2007

Short answer: DON'T DO THAT!

The auditor will NOT need access to ALL transactions, aver.

You'll want to look at the pre-defined menu roles that start with SAP_AUDITOR* (and the associated authorization roles SAP_AUDITOR_CA*), they should do the trick. They have been developed with auditors in mind.

They're not perfect, but they should go a long way, and auditors are used to getting them.

Hope that helps,

Frank.

v_veeramalla · ‎04-24-2007

HI,

These are the sap standard auditor roles.

SAP_AUDITOR_A

SAP_AUDITOR_ADMIN

SAP_AUDITOR_ADMIN_A

SAP_AUDITOR_BA_A

SAP_AUDITOR_BA_CFM

SAP_AUDITOR_BA_CFM_A

SAP_AUDITOR_BA_CO

SAP_AUDITOR_BA_CO_A

SAP_AUDITOR_BA_EC_CS

SAP_AUDITOR_BA_EC_CS_A

SAP_AUDITOR_BA_EC_PCA

SAP_AUDITOR_BA_EC_PCA_A

SAP_AUDITOR_BA_EXPORT_DATA

SAP_AUDITOR_BA_FI_AA

SAP_AUDITOR_BA_FI_AA_A

SAP_AUDITOR_BA_FI_AP

SAP_AUDITOR_BA_FI_APMD

SAP_AUDITOR_BA_FI_APMD_A

SAP_AUDITOR_BA_FI_AR

SAP_AUDITOR_BA_FI_ARMD

SAP_AUDITOR_BA_FI_ARMD_A

SAP_AUDITOR_BA_FI_CJ

SAP_AUDITOR_BA_FI_CJ_A

SAP_AUDITOR_BA_FI_GL

SAP_AUDITOR_BA_FI_SL

SAP_AUDITOR_BA_FI_SL_A

SAP_AUDITOR_BA_HR

SAP_AUDITOR_BA_HR_A

SAP_AUDITOR_BA_MM

SAP_AUDITOR_BA_MM_IM

SAP_AUDITOR_BA_MM_IM_A

SAP_AUDITOR_BA_MM_IV

SAP_AUDITOR_BA_MM_IV_A

SAP_AUDITOR_BA_MM_PUR

SAP_AUDITOR_BA_MM_PUR_A

SAP_AUDITOR_BA_ORGA

SAP_AUDITOR_BA_RE

SAP_AUDITOR_BA_RE_A

SAP_AUDITOR_BA_SD

SAP_AUDITOR_BA_SD_A

SAP_AUDITOR_DS

SAP_AUDITOR_DS_A

SAP_AUDITOR_SA

SAP_AUDITOR_SA_BC

SAP_AUDITOR_SA_BC_CCM_USR

SAP_AUDITOR_SA_BC_CUS_TOL

SAP_AUDITOR_SA_CCM_USR

SAP_AUDITOR_SA_CUS_TOL

SAP_AUDITOR_TAX_A

SAP_AUDITOR_TAX_AA

SAP_AUDITOR_TAX_AA_A

SAP_AUDITOR_TAX_COPS

SAP_AUDITOR_TAX_COPS_A

SAP_AUDITOR_TAX_FI

SAP_AUDITOR_TAX_FI_A

SAP_AUDITOR_TAX_HR

SAP_AUDITOR_TAX_MM

SAP_AUDITOR_TAX_MM_A

SAP_AUDITOR_TAX_SD

SAP_AUDITOR_TAX_SD_A

SAP_AUDITOR_TAX_TR

SAP_AUDITOR_TAX_TR_A

Former Member · ‎05-27-2013

You should not assign the "ADMIN-Roles" to the auditor themselves, as these give development access!

SAP_AUDITOR_ADMIN

SAP_AUDITOR_ADMIN_A

The Admin-Roles are used to "build" up the AIS.

SAP then recommends to "copy" the SAP-Roles to customer namespace and uses those. But do not incude the ADMMIN-Roles themselves in the composite role you will alter use for the auditor.

SAP-AUDITOR_ADMIN allows for (restricted) "programming", which is not a thing you should be allowed to in production systems.

v_veeramalla · ‎04-26-2007

sap_all_display roles exist in previous versions of sap. download form that version and upload in to u r version. Same problem i was solved with this method. I think it will be easy.

Bernhard_SAP · ‎05-29-2013

do not do this. SAP_ALL_DISPLAY was not deleted by accident!