07-16-2016 11:31 AM
Hi All,
I would like to know SAP best practice to provide display/reporting transaction access to end users for ECC modules (MM/SD/FI/CO/QM/PP)
Do we need to create separate display roles and one display role for all tasks while implementing Security roles ?
Eg. SD display and Maintain roles:-
different display roles for all below SD tasks or a single display role with below tasks
Pricing Display
Output Display
Contract Display
Master Data Display
Credit Mgmt Display
Sales Order Display
Maintenance roles for SD tasks
Pricing Maintenance
Output Maintenance
Contract Maintenance
Master Data Maintenance
Credit Mgmt Maintenance
Sales Order Maintenance
Regards
Shradha
07-16-2016 1:45 PM
Hello Shradha,
For Providing display access to End-users different best way is to create Display Role for all the activities / Task and assign the same to End-users or Cross Functional user where ever necessary .
Different organizations follow different policies and procedures and assignment of role depends on the organization , for this purpose try to create roles based on Position and Map tasks performed by these users.
Regards
Bhupesh Akkineni
07-18-2016 7:44 AM
Hi Raghu,
Thanks for your reply.. My organization wants to give display access of all functional modules to all users. I would like to know which is good practice for accomplish this task.
Create one display role with required transactions for each SAP module (FI/SD/CO/PP/QM/MM) and merge all in a composite role for end user assignment Or create multiple display role in each module depends on functional area eg. below all are display role under SD and merge multiple roles in a composite role for each module:-
Pricing Display
Output Display
Contract Display
Master Data Display
Credit Mgmt Display
Sales Order Display
As per my understanding better to create one display role for each module with required tcodes not multiple display roles. Please advise.
Regards
Shradha
07-18-2016 1:19 PM
Hi Shardha
Usually it will be a one functional display role for all the modules, as long as personal sensitive and sensitive details are not accessible through that role.
Worked in couple in projects , Most likely it is one display role.
Cheers
Pavan M
07-19-2016 10:18 AM
Hello Pavan,
how did you check/assure, that all transactions, which you entered in your role(s) really check for activity=display (most commen field ACTVT)? (example: FB00 - you can change settings w/o any check for ACTVT)....
What about transactions, which are called by 'call transaction without authority-check' statement or for which se97 switched off the start check (example CRF4->FB02)?
b.rgds, Bernhard
07-19-2016 10:35 AM
Hi Shradha,
Mainly some display Tcodes are there for functional Side, functional consultants give that to create Display only role. They know the Display only Tcodes in you have mentioned functional side.
I have already the the Display Only Role (SD, MM , FI ), You can add any Tcode that you want to display to the Role, it shows display only.
If you comment your Email ID I will send you, there is no option to send the Roles through SCN .
Hope Its help you,
It helps one post in SCN 4 days back...
Thanks and Regards,
Sajmal
08-03-2016 10:01 AM
Hi Sajmal,
Thanks for your reply. Please send me on <removed by moderator>
Regards
Shradha
08-03-2016 10:52 AM
Hi Sradha,
Hope it helps you, if it is not please let me know.
see this also, Creating an SAP_ALL Display Only Role | SCN
It will help you for the solution is my suggestion not works.
Thanks and Regards,
Sajmal
07-19-2016 10:53 AM
Hi Shradha,
Is it is not possible to display only authorization for all modules. one more way to selected display only Tcodes (from function team) for the User, for this method create display only Role but if lot of Tcodes is there it is some time taken process.
Goto PFCG , Create a Role with that you want to display only tcodes.
In Authorization Tab click "Change Authorization Data" and in the opened window click "ctrl+F" and type "Activity" in field text and click "Find Field", shows on bellow image,
It will shows all Activity field in your Role,
Goto every activity , click on the Pencil and choose that to "Display or Read"only (Tick Display only or Read only tab only) . I will give read only access.
After Complete it don't forget to "Generate" the profile for the Role.
Hope it will also help you
Thanks and Regards,
Sajmal
08-03-2016 10:10 AM
Shradha,
The best option is create a role with sap_all access. then download it as a txt file. Then replace ACTVT value to 03 , which is display.
Other option is in SCN i found one role. That particular role contain 95% of display access only. You can upload that to a new role which is created.
Praveen
09-30-2016 12:28 PM
Hi Shradha,
Did you get solution from any of the replays, if yes please mark as "Correct answer", or please mention the correct answer you get, it helps to the others have same question.
Thanks & Regards,
Sajmal
10-04-2016 10:40 AM
well, some never learn..... Although discussed already several times.
Funny suggestions with sap_all-role-modifications etc. ....
discussion locked.