02-19-2008 5:08 AM
hi guru's
i have copied SAP_ALL into ZSAP_ALL and i assigned this profile to SD/MM/PP/FI. But i want to restrict some tcodes. can you tell me the procedure for restricting tcodes in profile.
thanks
Ramesh
02-19-2008 5:33 AM
Hi,
Goto tcode SU02 and enter the profile. Search for the Authorization object "s_tcode" and remove the * enter the tcodes that you want to assign the users.
Regards
Ramgopal
02-19-2008 12:18 PM
Hi Ramesh,
We should not give SAP_ALL to any user in the production environment.
Better practice is create independent roles for each functional position, atleast each functional module. There are lot of pre -defined roles in SAP at each process level. generate them and use.
if you want more details, pls. let me know.
award points if you are satisfied with my answer.
~Praveen
02-21-2008 4:54 AM
Hi Praveen,
i want to assign assign profiles/roles in "DEV" system. can you suggest me what type roles i have to assign functionals and developers.
thanks
Ramesh
02-21-2008 12:12 PM
Hi Ramesh
you should ask your developers for the transactions they want to run ...meaning day to day activities.
normally they use se37, ssdb, se38 etc..
you can make a role and assign the tcodes to the role and later assign this role to the user.
Like we have an HR implementation and here are some roles given to abapdev user.
SAP_BC_BMT_WFM_ADMIN
SAP_BC_BMT_WFM_DEVELOPER
SAP_BC_BMT_WFM_GP_ADMIN
SAP_BC_BMT_WFM_GP_SERVICE_USER
SAP_BC_BMT_WFM_UWL_ADMIN
SAP_BC_CM_ADMINISTRATOR
SAP_BC_EMPLOYEE
SAP_BC_ENDUSER
SAP_BPT_IMPLEMENTATION
SAP_EMPLOYEE_ERP
SAP_ESSUSER_ERP
SAP_HR_BN_HR-ADMINISTRATOR
SAP_HR_CM_BEN-COMP-MANAGER
SAP_HR_CM_SPECIALIST
SAP_HR_CPS_CO-ADMINISTRATOR
SAP_HR_CPS_HR-MANAGER
SAP_HR_CP_HR-MANAGER
SAP_HR_ECM_COMP_SPECIALIST
SAP_HR_EMPLOYEE_DE_ERP
SAP_HR_EMPLOYEE_US_ERP
SAP_HR_HAP_ADMINISTRATOR
SAP_HR_KM_INSTRUCTOR
SAP_HR_LSO_TRAININGMANAGER
also u can assign them custom roles.
similarly for functional people.
Hope this helps..
02-19-2008 6:24 PM
Hi Ramesh,
Why use SU02 for this requirement when SAP has given something so convenient in PFCG.
If you know what to assign and what to restrict, create a new role using PFCG, use sap_all template, and restrict the tcodes using ranges. Here you can restrict the objects too based on the requirement. Another advantage is, you can then also set validity periods on this role assignment, as such a role is would be broad in nature.
This forum will give you immense threads on this.
Cheers
Abhishek
Think you should also be well versed by now which environments such a role is to be restricted
Edited by: Abhishek Belokar on Feb 19, 2008 7:28 PM
Edited by: Abhishek Belokar on Feb 19, 2008 7:58 PM
02-20-2008 12:42 AM
Hi Ramesh,
I was facing the same issue which you are facing. I wasnt sure what T-codes the Functional Consultants needed access to and I did not want to give them sap_all. Here is what I did.
1. Created a role Z:Sap_All and copy sap_all profile in it.
2. Disabled all the Basis Objects (BC_A, BC_C, BC_Z) and left the rest enabled with full permissions.
Now, if any Functional Consultant needed access to some Basis Tcode (which they will, if this is for QA or Dev or if you haven't gone live), I just added it to the menu on request basis.
I know that this is not a very effective way of managing Security, but at least you do not have to worry about Function Consultants messing with Basis Tcodes. This also ensures that you have SOME amount of security if if you do not have much time to spend on it.
Kunal