02-19-2008 10:00 AM
hi,
I want to restrict 'Change' mode for SCC4 T-CODE to devuser having complete authorization with profiles SAP_ALL and SAP_NEW. Only 'Display' should be allowed for SCC4. For devuser no roles are assigned.
For Other Users Roles are assigned with restriction in Authorization at "Basis: Administration-> Table Maintenance (via standard tools such as SM30)> Activity" for authorization object S_TABU_DIS only 'Display' is allowed.
Abhijit.
02-19-2008 10:11 AM
Well first, regenerate SAP_ALL so you can forget about SAP_NEW.
Now create a role based on SAP_ALL, adjust that to your needs and assign it to your users.
02-19-2008 10:11 AM
Well first, regenerate SAP_ALL so you can forget about SAP_NEW.
Now create a role based on SAP_ALL, adjust that to your needs and assign it to your users.
09-15-2008 8:30 AM
09-15-2008 8:50 AM
> How to create a role based on a Profile SAP_ALL in PFCG?
Go to PFCG
Create an empty single role
Go to the authorizations tab
Click on 'change authorization data'
Click on 'do not select templates'
Go to menu 'edit' -> 'Insert authorization(s) -> 'From profile'
Enter "SAP_ALL" and hit ENTER.
Jurjen
02-19-2008 4:15 PM
hi,
create a role in pfcg.Add transaction SCC4.
go to change authorization data give only display activity to authorizaton objects
generate profile and save it and assigned to the user, do user comparision
it gives only display for SCC4.let me know if any problems with it.
regards,
raju
02-19-2008 6:15 PM
Hi Raju,
I am wondering how would this role restrict the user to display access with something like sap_all behind?
-Abhishek
02-19-2008 6:18 PM
>
> Hi Raju,
>
> I am wondering how would this role restrict the user to display access with something like sap_all behind?
>
> -Abhishek
Realistically I think you will find it very difficult to provide proper restriction.
02-19-2008 6:24 PM
>
> I am wondering how would this role restrict the user to display access with something like sap_all behind?
Nope, SAP_ALL (if properly congfigured and generated) means 'access to everything'. If you give that to a user that is exactly what he/she has.
The SAP authorization concept does not provide a way to 'retract' earlier given authorizations.
02-19-2008 6:37 PM
Thats how SAP works i guess, its designed to grant access, not block access
My question was actually referenced to Raju, I think I misunderstood him, thats why thought...best to clarify.
-Abhishek
02-19-2008 6:43 PM
>
> My question was actually referenced to Raju, I think I misunderstood him, thats why thought...best to clarify.
Ah, missed out on that one. Good though. Lets ask it again:
Raju, How would you have invisioned such a construction, where someone has SAP_ALL and something else to make a part of SAP_ALL not work?
02-19-2008 8:54 PM
>
>... something else to make a part of SAP_ALL not work?
2 ideas:
- If the regeneration of SAP_ALL could check that the user running it does not have any SAP_ALL authorizations? Meaning, they would need to know exactly which non-SAP role authorizations (their technical names) have that authority in it. Many folks who only work with SAP_ALL don't know how to do that
- If there were some way to isolate the program parts which are required to change SCC4 such that they can only be run with root priveleges, then you do not need to give your SAP system (with SAP_ALL) root access...?
Disclaimer: Just ideas! Complete overkill!!
=> Does restricting the user's access sound like a much easier idea now?
Cheers,
Julius
02-19-2008 6:17 PM
Hi Abhijit,
Jurjen has got it all covered. That would be the appropriate way.
-Abhishek