03-12-2008 11:52 AM
Hi
We have Consultants with SAP_ALL & SAP_NEW on the system but no Role is assigned to them.
We need to restrict some of these consultants to certain Company Codes.
Please can anybody give me the procedure on How we can restrict them to Certain Company Codes without taking SAP_ALL away?
I know nobody is allowed to have SAP_ALL but this is the setup and I need to restrict access as is.
Please help urgently
03-12-2008 11:59 AM
the only solution is to create a role called Z_SAPALL as a copy of SAP_ALL and in that role delimit the company code orglevel.
Would suggest to go asap for a real solution and assign normal roles to the consultnats.
Edited by: Auke Visser on Mar 12, 2008 12:59 PM
03-12-2008 2:43 PM
> Please can anybody give me the procedure on How we can restrict them to Certain Company Codes without taking SAP_ALL away?
SAP_ALL is "all authorizations for the system". How would you restrict "all authorizations for the system" without removing it?
The "quick and dirty" way as mentioned by Auke is very insecure. Eg: They could display the tables directly, even if you restrict all BUKRS fields. Or, just give themselves SAP_ALL back again. There will be many more ways for them to bypass your security.
Take a look at some of the other posts on restricting SAP_ALL here at SDN. Keep an eye out for the expression "Make them do their job by giving you the transactions and authorizations which they do need".
Cheers,
Julius
11-05-2008 6:38 AM
Thanks...They should do their jobs and tell me what access they do and do not need!