- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- Profile without basis permissions
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Profile without basis permissions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-01-2008 9:00 PM
Hi all,
How can i create a profile for many users without basis transactions (ej. sm04, sm50, db02, etc) this users now have SAP_ALL, SAP_NEW profiles.
please ¡¡¡
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-01-2008 9:23 PM
You can't.
SAP_ALL means EVERYTHING
Give me one good reason why a user should have access to 20000+ transactions
Create the user based on the transactions which they need. Do not start with SAP_ALL or you will remove functions in one place & they will just perform them somewhere else
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-01-2008 10:02 PM
Hi Alex,
i know what is SAP_ALL, i want to quit that profile for all users that have it, until the other consultants define fine the permissions for all users i want to quit basis transactions.
thanks alex.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-01-2008 10:30 PM
Hi Francisco,
It's not that easy really, but one place to start is to create a role based on SAP_ALL and go through and remove most of the S_* objects or at least only give the display options for them. The role will likely still have a lot of holes, but it's a start.
Removing only the transactions will do nothing as the underlying access will remain and there are many ways to get to each function.
Good luck!
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-02-2008 11:17 AM
One way that I would suggest is to make a list of non BASIS profiles which you want to use (which have currently been assigned to users from function modules other than BASIS).
Goto pfcg
Give the new role name (which you want to create) and role description.
Goto Authorization tab->change Authorization data
Goto edit -> Insert Authotrizations-> From Profiles.
Give the profile names one by one which you have selected to use.
Update the org level values and othe open field values and generate the role.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-02-2008 6:58 PM
Hi Francisco...
No wonder I saw many Sec. consultants in similar situations...I saw this issue discussing in one my SAP BI Security class...
I was in similar situation like you are two months back...on my brand new SCM system.....
As BA or partners were not ready to define me standard roles/tcodes I had to give SAP_ALL to them...after spending a week of sleepless nights......I customized a role from SAP_ALL, I restricted almost like more than 300 critical basis/security/db config by defining ranges in S_TCODE...I tested it can be satisfied.....
I think you can take try by defining ranges in S_TCODE....if you may want to try the ranges......give ur email id...I will email you the ranges and the tcodes restricted.....
I would promise, you will have good sleep.....however you need to insist BA or partner consultants to define roles on Quality/Test box and Production....because my role will give elevated access...
If you may want to try let me know.....
Thanks
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2008 3:14 PM
Anil,
If you have restricted by S_TCODE ranges then your role will not provide any useful restriction. Unless you restrict by object values you might as well save yourself the time and give them SAP_ALL.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2008 6:10 PM
Thats right!
Restriction by S_TCODE always leaves some back-door entries of accessing the critical t-codes.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2008 6:11 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-09-2008 5:09 AM
hi Anil ,
Can you help me with your role......i want to try it .......if you like to share it with me.......... email id = manjula.matha from GMAIL
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-13-2008 4:22 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-13-2008 5:38 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-02-2008 11:44 PM
Hi Anil,
You really will help me with your role......i want to try it .......if you like to share it with me.......... email id = daniel.uvm from GMAIL
thanks to all for your help
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2008 4:36 PM
Good Morning All - As per Alex note, just forgot to tell you that apart from ranges in S_tcode I also disabled some of the critical S_* objects just to be in saferside.
Thanks!
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-08-2008 8:26 PM
