12-13-2007 3:25 PM
Hi,
How can I restrict specific two to three transactions to a user who is having
sap all profile?
Thanks,
Venkat
12-13-2007 3:30 PM
You can't.
The whole idea of SAP_ALL is that users have access to everything (almost)
Create them a role via PFCG that gives them access to only what they need. Test the role, fix any problems and then assign to the users, not forgetting to remove SAP_ALL
After that look at all the users with SAP_ALL and ask yourself exactly which users need the ability to completely trash your system.
Message was edited by:
Alex Ayers
12-13-2007 3:46 PM
Alex has already given the answer in his question.
Ther is NO reason anyone should have SAP_ALL in any system as the access is far to dangerous.
If someone does not agree i woudl like to hear argumenst that really stick. unitl now no one has been able to give a GOOD reason.
12-13-2007 7:17 PM
You can create a Role from SAP ALL as Modified SAP ALL, form this role remove the transactions you want to restrict and assign to users.
Its not recommended to assign SAP_ALL to users.
Thanks,
Sachin
12-13-2007 10:11 PM
Depending on which transactions you are trying to restrict, your attempt will be more or less futile to only remove (or lock) a transaction.
There are some transactions which react more strictly to removing the transaction code (see function module AUTHORITY_CHECK_TCODE), and again there are others which can quite easily be submitted as reports, for example.
If the user still has full (*) access to all SAP_ALL objects except a range around a few tcodes, they will bypass your security attempts if they want to.
Kind regards,
Julius
12-21-2007 11:19 AM
copy SAP_ALL using SU02 -> utilities ->copy.
and modify as required to the copied role and assign.
12-21-2007 7:58 PM
Hello n k...
>
> copy SAP_ALL using SU02 -> utilities ->copy.
> and modify as required to the copied role and assign.
If you are looking for a new year's resolution, try [SAP note 442935|https://service.sap.com/sap/support/notes/442935] for ideas.
Cheers,
Julius
12-21-2007 9:42 PM
The only requirement is when we open an OSSid else there is no need for SAP_ALL why does a basis guy need to create an asset AS01- tcode ? so SAP _ALL is a big NO NO !