05-01-2008 9:00 PM
Hi all,
How can i create a profile for many users without basis transactions (ej. sm04, sm50, db02, etc) this users now have SAP_ALL, SAP_NEW profiles.
please ¡¡¡
05-01-2008 9:23 PM
You can't.
SAP_ALL means EVERYTHING
Give me one good reason why a user should have access to 20000+ transactions
Create the user based on the transactions which they need. Do not start with SAP_ALL or you will remove functions in one place & they will just perform them somewhere else
05-01-2008 10:02 PM
Hi Alex,
i know what is SAP_ALL, i want to quit that profile for all users that have it, until the other consultants define fine the permissions for all users i want to quit basis transactions.
thanks alex.
05-01-2008 10:30 PM
Hi Francisco,
It's not that easy really, but one place to start is to create a role based on SAP_ALL and go through and remove most of the S_* objects or at least only give the display options for them. The role will likely still have a lot of holes, but it's a start.
Removing only the transactions will do nothing as the underlying access will remain and there are many ways to get to each function.
Good luck!
05-02-2008 11:17 AM
One way that I would suggest is to make a list of non BASIS profiles which you want to use (which have currently been assigned to users from function modules other than BASIS).
Goto pfcg
Give the new role name (which you want to create) and role description.
Goto Authorization tab->change Authorization data
Goto edit -> Insert Authotrizations-> From Profiles.
Give the profile names one by one which you have selected to use.
Update the org level values and othe open field values and generate the role.
05-02-2008 6:58 PM
Hi Francisco...
No wonder I saw many Sec. consultants in similar situations...I saw this issue discussing in one my SAP BI Security class...
I was in similar situation like you are two months back...on my brand new SCM system.....
As BA or partners were not ready to define me standard roles/tcodes I had to give SAP_ALL to them...after spending a week of sleepless nights......I customized a role from SAP_ALL, I restricted almost like more than 300 critical basis/security/db config by defining ranges in S_TCODE...I tested it can be satisfied.....
I think you can take try by defining ranges in S_TCODE....if you may want to try the ranges......give ur email id...I will email you the ranges and the tcodes restricted.....
I would promise, you will have good sleep.....however you need to insist BA or partner consultants to define roles on Quality/Test box and Production....because my role will give elevated access...
If you may want to try let me know.....
Thanks
05-03-2008 3:14 PM
Anil,
If you have restricted by S_TCODE ranges then your role will not provide any useful restriction. Unless you restrict by object values you might as well save yourself the time and give them SAP_ALL.
05-03-2008 6:10 PM
Thats right!
Restriction by S_TCODE always leaves some back-door entries of accessing the critical t-codes.
05-03-2008 6:11 PM
05-09-2008 5:09 AM
hi Anil ,
Can you help me with your role......i want to try it .......if you like to share it with me.......... email id = manjula.matha from GMAIL
05-13-2008 4:22 AM
05-13-2008 5:38 AM
05-02-2008 11:44 PM
Hi Anil,
You really will help me with your role......i want to try it .......if you like to share it with me.......... email id = daniel.uvm from GMAIL
thanks to all for your help
05-05-2008 4:36 PM
Good Morning All - As per Alex note, just forgot to tell you that apart from ranges in S_tcode I also disabled some of the critical S_* objects just to be in saferside.
Thanks!
05-08-2008 8:26 PM