Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Exclude SAP_ALL in SU01

Go to solution
Former Member

‎08-01-2007 11:09 AM

0 Kudos

Hi,

I have one user which can access to the SU01 but he musn't be able to provide SAP_ALL profile.

How can I restrict SU01 to forbid SAP_ALL and/or access to the Profile tab ?

Thanks for regards.

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎08-01-2007 11:39 AM

0 Kudos

You can control the profiles that users assign via object S_USER_PRO

If you ensure that there is no * or range that includes SAP_ALL* in that object then they can't assign that to users.

As the assignment of roles to users invokes a check on the profile associated with that role, you can't completely lock that object.

Furthermore, the only way I can think of restricting the profile tab would be to create a transaction variant for SU01 (using SHD0) and making those fields display only.

2 REPLIES 2

Go to solution
Former Member

‎08-01-2007 11:39 AM

0 Kudos

You can control the profiles that users assign via object S_USER_PRO

If you ensure that there is no * or range that includes SAP_ALL* in that object then they can't assign that to users.

As the assignment of roles to users invokes a check on the profile associated with that role, you can't completely lock that object.

Furthermore, the only way I can think of restricting the profile tab would be to create a transaction variant for SU01 (using SHD0) and making those fields display only.

Go to solution
Former Member

‎08-01-2007 1:39 PM

0 Kudos

Thanks for your answer !