Skip to Content
author's profile photo Former Member
Former Member

restrict the tcodes in profile

hi guru's

i have copied SAP_ALL into ZSAP_ALL and i assigned this profile to SD/MM/PP/FI. But i want to restrict some tcodes. can you tell me the procedure for restricting tcodes in profile.

thanks

Ramesh

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

3 Answers

  • author's profile photo Former Member
    Former Member
    Posted on Feb 19, 2008 at 05:33 AM

    Hi,

    Goto tcode SU02 and enter the profile. Search for the Authorization object "s_tcode" and remove the * enter the tcodes that you want to assign the users.

    Regards

    Ramgopal

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Feb 19, 2008 at 12:18 PM

    Hi Ramesh,

    We should not give SAP_ALL to any user in the production environment.

    Better practice is create independent roles for each functional position, atleast each functional module. There are lot of pre -defined roles in SAP at each process level. generate them and use.

    if you want more details, pls. let me know.

    award points if you are satisfied with my answer.

    ~Praveen

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi Ramesh

      you should ask your developers for the transactions they want to run ...meaning day to day activities.

      normally they use se37, ssdb, se38 etc..

      you can make a role and assign the tcodes to the role and later assign this role to the user.

      Like we have an HR implementation and here are some roles given to abapdev user.

      SAP_BC_BMT_WFM_ADMIN

      SAP_BC_BMT_WFM_DEVELOPER

      SAP_BC_BMT_WFM_GP_ADMIN

      SAP_BC_BMT_WFM_GP_SERVICE_USER

      SAP_BC_BMT_WFM_UWL_ADMIN

      SAP_BC_CM_ADMINISTRATOR

      SAP_BC_EMPLOYEE

      SAP_BC_ENDUSER

      SAP_BPT_IMPLEMENTATION

      SAP_EMPLOYEE_ERP

      SAP_ESSUSER_ERP

      SAP_HR_BN_HR-ADMINISTRATOR

      SAP_HR_CM_BEN-COMP-MANAGER

      SAP_HR_CM_SPECIALIST

      SAP_HR_CPS_CO-ADMINISTRATOR

      SAP_HR_CPS_HR-MANAGER

      SAP_HR_CP_HR-MANAGER

      SAP_HR_ECM_COMP_SPECIALIST

      SAP_HR_EMPLOYEE_DE_ERP

      SAP_HR_EMPLOYEE_US_ERP

      SAP_HR_HAP_ADMINISTRATOR

      SAP_HR_KM_INSTRUCTOR

      SAP_HR_LSO_TRAININGMANAGER

      also u can assign them custom roles.

      similarly for functional people.

      Hope this helps..

  • author's profile photo Former Member
    Former Member
    Posted on Feb 19, 2008 at 06:24 PM

    Hi Ramesh,

    Why use SU02 for this requirement when SAP has given something so convenient in PFCG.

    If you know what to assign and what to restrict, create a new role using PFCG, use sap_all template, and restrict the tcodes using ranges. Here you can restrict the objects too based on the requirement. Another advantage is, you can then also set validity periods on this role assignment, as such a role is would be broad in nature.

    This forum will give you immense threads on this.

    Cheers

    Abhishek

    Think you should also be well versed by now which environments such a role is to be restricted 😉

    Edited by: Abhishek Belokar on Feb 19, 2008 7:28 PM

    Edited by: Abhishek Belokar on Feb 19, 2008 7:58 PM

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Ramesh,

      I was facing the same issue which you are facing. I wasnt sure what T-codes the Functional Consultants needed access to and I did not want to give them sap_all. Here is what I did.

      1. Created a role Z:Sap_All and copy sap_all profile in it.

      2. Disabled all the Basis Objects (BC_A, BC_C, BC_Z) and left the rest enabled with full permissions.

      Now, if any Functional Consultant needed access to some Basis Tcode (which they will, if this is for QA or Dev or if you haven't gone live), I just added it to the menu on request basis.

      I know that this is not a very effective way of managing Security, but at least you do not have to worry about Function Consultants messing with Basis Tcodes. This also ensures that you have SOME amount of security if if you do not have much time to spend on it.

      Kunal

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.