Solved: Display Authorisation for ALL transaction ....

Former Member · ‎09-19-2007

Hi Experts,

Our companys wants full authorisation ( sap_all + sap_new ) for Auditors but in Display Mode only.

What I did, I created Z_auditor role and selected all logistic ( Not Tools ) and in authorisation S_TABU_DIS I kept only display.

But in many transaction i seen that there is create, change option available.

Pl. guide us what to do, urgent ?

Yusuf

Former Member · ‎09-19-2007

As already mentioned, it is not recommended to give a copy of SAP_ALL and attempt to make it display only. The main issue with this approach is that you are giving them a wildcard in the S_TCODE auth object. Even if you managed to find all of the objects and changed them to display only, you would still have an issue with some tcodes not calling an auth object - one good example is RZ11 - with this you can maintain some system profile parameter values - no auth object is needed. Better to go the route as suggested here and get them to tell you what tcodes they need.

Former Member · ‎09-19-2007

use the search for SAP_ALL_DISPLAY

this question gets asked every week

If you are not <b>very</b> careful and give the auditors a role that gives too much access in prod, that this will be raised in their audit report.

In your situation I would get an email from the auditors stating exactly what access they need and build an appropriate role.

Message was edited by:

Alex Ayers

Former Member · ‎09-19-2007

Hi Alex,

In ECC 5.0 the SAP_ALL_DISPLAY role/profile is not available.

Yusuf

Former Member · ‎09-19-2007

Hi Yusuf

if you put SAP_ALL_DISPLAY into the search box on this forum, there are many threads which will tell you how to build one that is more suitable for your needs

Cheers

alex

Former Member · ‎09-19-2007

One question:

What inexperienced/amateur Auditors are you working with. An experienced EDP auditor would never want SAP_ALL display access, but will come with a list of TRX and reports they must be able to access , so you could build a custom role from that.

I know that some financial directors/controllers are frightened of auditors thus take the easy way and allow them SAP_ALL. But be aware although it is not your responsibility if you are requested to grant such a Forbidden access, but one of your tasks should be Gate-Keeper, preventing others of making the wrong decision!

Former Member · ‎09-20-2007

Hello Auke & JC,

Thanks for explaination. Now we have decided not to give SAP_ALL for auditor.

We will collect TRX and reports and grant them.

Yusuf

Former Member · ‎09-19-2007

As already mentioned, it is not recommended to give a copy of SAP_ALL and attempt to make it display only. The main issue with this approach is that you are giving them a wildcard in the S_TCODE auth object. Even if you managed to find all of the objects and changed them to display only, you would still have an issue with some tcodes not calling an auth object - one good example is RZ11 - with this you can maintain some system profile parameter values - no auth object is needed. Better to go the route as suggested here and get them to tell you what tcodes they need.

Former Member · ‎09-20-2007

Hello Yusuf,

all the responses belongs u r question is absolutely perfect.

Just try to use the predefined role of SAP. SAP_ALL_DISPLAY.

create a new role with the copy of the same as i mentioned above.

then use this role as per as u r requirement.

its a good process recomonded by SAP.

cheers.....

Sree

Former Member · ‎09-21-2007

Hi Srinivas,

Thanks. But SAP_ALL_DISPLAY is not in ECC 5.0 Version.

Yusuf

koehntopp · ‎09-24-2007

Please DO NOT try to create SAP_ALL_DISPLAY.

There are standard roles for auditors which should be a great start for your roles.

Please look at http://service.sap.com/ais , there you'll find lots of information about the Audit Information System.

Auditors are used to this, usually.

Hope that helps,

Frank.