Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Issues with SAP_ALL - Display only

Former Member
0 Kudos

Dear SAP security experts,

I created a Role SAP_ALL_DISPLAY inherited from SAP_ALL profile. I made sure that ACTVT is 03 for all areas. But still it is allowing for some Tcodes like below :

RSA6 -- It is allowing to delete, change, create ...extractors. This is very dangeours

SM37 -- It is allowing to delete BG jobs..etc

.....some more I did not know...dont have time to check.

tcodes like RSA1...SCC*..SPRO... are OK. If finger the check indicators in SU24 for the above tcodes(RSA6,SM37..), what are the bad consequences?. How to fix this in an easy way?

Thank you very much

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Hi,

There is no easy way. What you can do is see to it that authorization object s_tabu_dis (actvt 03)has no update at all, this controls the update to the data base. If you have doubt about a transaction, just try it out with the trace on (ST01). Is there not a SAP_ALL_DISPLAY profile from which you can create a role, it is in R/3.

Have fun

Jan van Roest

5 REPLIES 5

Former Member
0 Kudos

Hi,

There is no easy way. What you can do is see to it that authorization object s_tabu_dis (actvt 03)has no update at all, this controls the update to the data base. If you have doubt about a transaction, just try it out with the trace on (ST01). Is there not a SAP_ALL_DISPLAY profile from which you can create a role, it is in R/3.

Have fun

Jan van Roest

0 Kudos

Hi,

This is a BI70 system which doesnt have SAP_ALL_DISPLAY

Manually Table Maintenance (via standard tools such as SM30) - S_TABU_DIS

Activity 03 ACTVT

Authorization Group * DICBER

The above has (03-Display only) -

object s_tabu_dis (actvt 03)has no update at all --> Where to check for update and remove the access? - the CTRL+F search gives only the above display in PFCG

Thanks

0 Kudos

Solution is simple take away TRX Sm30 and SM31. Never use * for S_Tcode as this is giving you a lot of problems. Besides never give debug and be very carefull not to give SE16 or Se16N directly ONLY allow tabel access via a custum TRX ( Copy of Se16 limited to one specific table only)

Former Member
0 Kudos

make sure all of your S_* objects do not allow any update access

It sounds like you have still got S_BTCH_ADM=Y or * for the access to SM37

There is a fair bit more work in creating a SAP_ALL_DISPLAY role than just changing activities to 03

koehntopp
Product and Topic Expert
Product and Topic Expert

I guess this needs to be created as an FAQ

- There is no such thing as SAP_ALL_DISPLAY

- Proposal: create a "display only" role for each functional area in your organisation, i.e. something you could give to every employee working in that area.

- There are LOTS of transactions that couldn't care less about what you put in ACTVT!

- There are display transactions that you do not want to give to people (confidentiality)

- Furthermore, check for ACTVT might be deactivated in SU24

In a nutshell: don't do that. Find out what the exact requirements for that role are, and create it like that. The way you do it now will have many more backdoors than you will ever be able to fix. How are you going to control/audit misuse?

Alternatively: look at SAP GRC Access Controls and evaluate the FireFighter application - this might help.

Sorry, no easy answer here.

Frank.