cancel
Showing results for 
Search instead for 
Did you mean: 

SAP_ALL profile changes for ONLY DISPLAY access in 000 client

SAPSupport
Employee
Employee
0 Kudos

Hi,

We have security alarms generated in EWA and other security measures to have 'sap_all' profiles assigned to group of users.

To mitigate the issue, we are required to create a z role/profile with 'sap_all' but only with DISPLAY access.

Please suggest what is the recommendation/guidelines from SAP to have 'sap_all' or similar profile with ONLY DISPLAY access so users can't make any changes to system but can view all.

Regards,
Alexander
------------------------------------------------------------------------------------------------------------------------------------------------
Learn more about the SAP Support user and program here.

Accepted Solutions (1)

Accepted Solutions (1)

SAPSupport
Employee
Employee
0 Kudos

Dear customer!

Please refer to SAP KBA 2988529 - SAP ALL DISPLAY

According to the KBA you CAN disable all field values in ACTVT except 03 (Display) but the thing is: "Creating a role with SAP_ALL authorizations and removing any values except '03' from the field ACTVT (Activity) is not the best approach to overcome this requirement. Unfortunately in different applications there are too many different concepts to provide "read only" access - simply setting all fields ACTVT = '03' does not do the trick. SAP cannot guarantee, that every application checks for the Field ACTVT (Activity). So there is the danger, that with that role modifications could be done."

So with ACTVT=03, you can achieve the only display access for many applications but there might be some applications which need a more complex adjustment of the authorization values in order to get the desired display access.

Best regards,

SAP Support

Answers (0)