Solved: Restrict Authorization in SAP_ALL & SAP_NEW for SC...

Former Member · ‎02-19-2008

hi,

I want to restrict 'Change' mode for SCC4 T-CODE to devuser having complete authorization with profiles SAP_ALL and SAP_NEW. Only 'Display' should be allowed for SCC4. For devuser no roles are assigned.

For Other Users Roles are assigned with restriction in Authorization at "Basis: Administration~~-> Table Maintenance (via standard tools such as SM30)~~> Activity" for authorization object S_TABU_DIS only 'Display' is allowed.

Abhijit.

jurjen_heeck · ‎02-19-2008

Well first, regenerate SAP_ALL so you can forget about SAP_NEW.

Now create a role based on SAP_ALL, adjust that to your needs and assign it to your users.

jurjen_heeck · ‎02-19-2008

Well first, regenerate SAP_ALL so you can forget about SAP_NEW.

Now create a role based on SAP_ALL, adjust that to your needs and assign it to your users.

Former Member · ‎09-15-2008

HI

How to create a role based on a Profile SAP_ALL in PFCG?

Thanks,

Abhijit

jurjen_heeck · ‎09-15-2008

> How to create a role based on a Profile SAP_ALL in PFCG?

Go to PFCG

Create an empty single role

Go to the authorizations tab

Click on 'change authorization data'

Click on 'do not select templates'

Go to menu 'edit' -> 'Insert authorization(s) -> 'From profile'

Enter "SAP_ALL" and hit ENTER.

Jurjen

Former Member · ‎02-19-2008

hi,

create a role in pfcg.Add transaction SCC4.

go to change authorization data give only display activity to authorizaton objects

generate profile and save it and assigned to the user, do user comparision

it gives only display for SCC4.let me know if any problems with it.

regards,

raju

Former Member · ‎02-19-2008

Hi Raju,

I am wondering how would this role restrict the user to display access with something like sap_all behind?

-Abhishek

Former Member · ‎02-19-2008

>

> Hi Raju,

>

> I am wondering how would this role restrict the user to display access with something like sap_all behind?

>

> -Abhishek

Realistically I think you will find it very difficult to provide proper restriction.

jurjen_heeck · ‎02-19-2008

>

> I am wondering how would this role restrict the user to display access with something like sap_all behind?

Nope, SAP_ALL (if properly congfigured and generated) means 'access to everything'. If you give that to a user that is exactly what he/she has.

The SAP authorization concept does not provide a way to 'retract' earlier given authorizations.

Former Member · ‎02-19-2008

Thats how SAP works i guess, its designed to grant access, not block access

My question was actually referenced to Raju, I think I misunderstood him, thats why thought...best to clarify.

-Abhishek

jurjen_heeck · ‎02-19-2008

>

> My question was actually referenced to Raju, I think I misunderstood him, thats why thought...best to clarify.

Ah, missed out on that one. Good though. Lets ask it again:

Raju, How would you have invisioned such a construction, where someone has SAP_ALL and something else to make a part of SAP_ALL not work?

Former Member · ‎02-19-2008

>

>... something else to make a part of SAP_ALL not work?

2 ideas:

- If the regeneration of SAP_ALL could check that the user running it does not have any SAP_ALL authorizations? Meaning, they would need to know exactly which non-SAP role authorizations (their technical names) have that authority in it. Many folks who only work with SAP_ALL don't know how to do that

- If there were some way to isolate the program parts which are required to change SCC4 such that they can only be run with root priveleges, then you do not need to give your SAP system (with SAP_ALL) root access...?

Disclaimer: Just ideas! Complete overkill!!

=> Does restricting the user's access sound like a much easier idea now?

Cheers,

Julius

Former Member · ‎02-19-2008

Hi Abhijit,

Jurjen has got it all covered. That would be the appropriate way.

-Abhishek

Restrict Authorization in SAP_ALL & SAP_NEW for SCC4 T-CODE only display