Display transaction access for all SAP modules?

former_member451480 · ‎07-16-2016

Hi All,

I would like to know SAP best practice to provide display/reporting transaction access to end users for ECC modules (MM/SD/FI/CO/QM/PP)

Do we need to create separate display roles and one display role for all tasks while implementing Security roles ?

Eg. SD display and Maintain roles:-

different display roles for all below SD tasks or a single display role with below tasks

Pricing Display

Output Display

Contract Display

Master Data Display

Credit Mgmt Display

Sales Order Display

Maintenance roles for SD tasks

Pricing Maintenance

Output Maintenance

Contract Maintenance

Master Data Maintenance

Credit Mgmt Maintenance

Sales Order Maintenance

Regards

Shradha

Former Member · ‎07-16-2016

Hello Shradha,

For Providing display access to End-users different best way is to create Display Role for all the activities / Task and assign the same to End-users or Cross Functional user where ever necessary .

Different organizations follow different policies and procedures and assignment of role depends on the organization , for this purpose try to create roles based on Position and Map tasks performed by these users.

Regards

Bhupesh Akkineni

former_member451480 · ‎07-18-2016

Hi Raghu,

Thanks for your reply.. My organization wants to give display access of all functional modules to all users. I would like to know which is good practice for accomplish this task.

Create one display role with required transactions for each SAP module (FI/SD/CO/PP/QM/MM) and merge all in a composite role for end user assignment Or create multiple display role in each module depends on functional area eg. below all are display role under SD and merge multiple roles in a composite role for each module:-

Pricing Display

Output Display

Contract Display

Master Data Display

Credit Mgmt Display

Sales Order Display

As per my understanding better to create one display role for each module with required tcodes not multiple display roles. Please advise.

Regards

Shradha

Former Member · ‎07-18-2016

Hi Shardha

Usually it will be a one functional display role for all the modules, as long as personal sensitive and sensitive details are not accessible through that role.

Worked in couple in projects , Most likely it is one display role.

Cheers

Pavan M

Bernhard_SAP · ‎07-19-2016

Hello Pavan,

how did you check/assure, that all transactions, which you entered in your role(s) really check for activity=display (most commen field ACTVT)? (example: FB00 - you can change settings w/o any check for ACTVT)....

What about transactions, which are called by 'call transaction without authority-check' statement or for which se97 switched off the start check (example CRF4->FB02)?

b.rgds, Bernhard

Former Member · ‎07-19-2016

Hi Shradha,

Mainly some display Tcodes are there for functional Side, functional consultants give that to create Display only role. They know the Display only Tcodes in you have mentioned functional side.

I have already the the Display Only Role (SD, MM , FI ), You can add any Tcode that you want to display to the Role, it shows display only.

If you comment your Email ID I will send you, there is no option to send the Roles through SCN .

Hope Its help you,

It helps one post in SCN 4 days back...

Thanks and Regards,

Sajmal

former_member451480 · ‎08-03-2016

Hi Sajmal,

Thanks for your reply. Please send me on <removed by moderator>

Regards

Shradha

Former Member · ‎08-03-2016

Hi Sradha,

Hope it helps you, if it is not please let me know.

see this also, Creating an SAP_ALL Display Only Role | SCN

It will help you for the solution is my suggestion not works.

Thanks and Regards,

Sajmal

Former Member · ‎07-19-2016

Hi Shradha,

Is it is not possible to display only authorization for all modules. one more way to selected display only Tcodes (from function team) for the User, for this method create display only Role but if lot of Tcodes is there it is some time taken process.

Goto PFCG , Create a Role with that you want to display only tcodes.

In Authorization Tab click "Change Authorization Data" and in the opened window click "ctrl+F" and type "Activity" in field text and click "Find Field", shows on bellow image,

It will shows all Activity field in your Role,

Goto every activity , click on the Pencil and choose that to "Display or Read"only (Tick Display only or Read only tab only) . I will give read only access.

After Complete it don't forget to "Generate" the profile for the Role.

Hope it will also help you

Thanks and Regards,

Sajmal

former_member183044 · ‎08-03-2016

Shradha,

The best option is create a role with sap_all access. then download it as a txt file. Then replace ACTVT value to 03 , which is display.

Other option is in SCN i found one role. That particular role contain 95% of display access only. You can upload that to a new role which is created.

Praveen

Former Member · ‎09-30-2016

Hi Shradha,

Did you get solution from any of the replays, if yes please mark as "Correct answer", or please mention the correct answer you get, it helps to the others have same question.

Thanks & Regards,

Sajmal

Bernhard_SAP · ‎10-04-2016

well, some never learn..... Although discussed already several times.

Funny suggestions with sap_all-role-modifications etc. ....

discussion locked.