Using Google Chrome?

Download my
free Chrome Extension, Power Notes Searcher, to make searching for and evaluating SAP notes, much easier.

Recent Posts

Saturday, November 17, 2012

SAP_ALL modified role

Have you got a SAP Development system where the developers insist they have SAP_ALL, but you know this is just wrong.
Well, here's a neat solution that removes certain authorisations like user admin in SU01 and adjusting auditing (SM19), RFC admin (SM59) etc.

Using transaction PFCG, create a new single role.
Add a description and save the role.
On the Authorisations tab generate a new profile and then edit the authorisations "Change Authorization Data".
Do not select any Templates.
From the "Authorizations" screen, select "Edit -> Insert Authorization(s) -> from profile...".
On the popup, enter profile "SAP_ALL".

Now adjust the profile as required.
I usually adjust the following authorisation objects:

S_ADMI_FCD - BTCH, FONT, SM21, SP01
S_OSS1_CTL - 16
S_USER_AGR - 03, 08
S_USER_AUT - 03, 08
S_USER_GRP - 03, 08
S_USER_OBJ - [NO AUTH]
S_USER_PRO - 03, 08
S_USER_SAS - [NO AUTH]
S_USER_SYS - 03
s_XMB_ACT - [DEPENDS ON USAGE OF XI/PI]
S_TRANSPRT - [CREATE TASKS, SEPARATE ROLE FOR CREATE TRANSPORTS]
S_IDOCPART - 03
S_IDOCPORT - 03
S_SCD0 - 08, 12

You can then save and assign the role to the developers.