09-01-2007 11:37 AM
Dear friends,
how to provide access to All T.code with only Display option.
--- Lee
09-01-2007 12:44 PM
tat is far to dangerous, so do not even try, as some t-codes are not limited by actvity valeu but other objects.
Just curious why should you want to give this access??
09-03-2007 8:53 AM
this is for our SAP consultant (while implementation) in production server.
If there ... pls let me know..
-- Lee
09-03-2007 9:08 AM
use the search for SAP_ALL_DISPLAY - there are a load of posts which tell you how to create a wide access display role
09-03-2007 11:04 AM
Even then you should not give such a wide access. No SAP consultant should ask this, at least when they know what they are doing!
If a consultant wants to test something assign hem/her a userid with the appropriate end-user roles assigned. But never on the production machine. Consultants should ONLY have this kind of access on the DEV or Quality machines!!
Be aware that you are endangering the validity of production data this way! As you can never be certain that you have not given change/create access in the background , the next audit this can lead to a lot of questions if the auditors know their job well!
09-03-2007 4:48 PM
Auke, there is minimal risk in giving display access to a non-live system (assuming that the original posters use of implementation = pre go-live.
Whilst SAP_ALL_DISPLAY (or variants on that theme) are a blunt tool, often unsuitable for the task in hand, I can't see where it is going to provide a significant risk if built properly and not combined with other access where the wildcard or ranged tcodes can interact with objects that are not tied down to display options.
If it is a live system then I agree with you 100%
Message was edited by:
Alex Ayers
09-03-2007 5:13 PM
Alex
when given display to all T_CODES (at least that is what has been asked), one gets in the same trouble as with SAP_ALL, not all T-codes can be restricted to display by activity assignment. So i sugest not to grant such wide access to a (to be) production system as it is not a secure solution. Nobody grants you that teh pseron will not enter data via a loophole in the security, besides that i would usrely doubt the knowledge of the consultant that is rquesting this, as if is far form showing a professional approach!
09-03-2007 5:37 PM
Auke,
I share similar concerns over the final solution, however I have yet to find a decent example of where appropriate restriction is placed at object level, that a display all role compromises the security of a system prior to it being in the production state. Many of the dangerous functions still require a t-code & object combination, any that don't are still subject to key kernel level checks on S_TABU_DIS etc. The tcodes that are not display (e.g. MM01) will just fail to work.
Ultimately I wouldn't recommend the use of such a role for the application of the original poster, I certainly wouldn't use it myself in that application, however much of the perceived risk does seem to come from "what if's" and "possibly" than any good idea of exploits that can occur when access to update data or execute code is removed.