restrict the tcodes in profile

Former Member · ‎02-19-2008

hi guru's

i have copied SAP_ALL into ZSAP_ALL and i assigned this profile to SD/MM/PP/FI. But i want to restrict some tcodes. can you tell me the procedure for restricting tcodes in profile.

thanks

Ramesh

Former Member · ‎02-19-2008

Hi,

Goto tcode SU02 and enter the profile. Search for the Authorization object "s_tcode" and remove the * enter the tcodes that you want to assign the users.

Regards

Ramgopal

Former Member · ‎02-19-2008

Hi Ramesh,

We should not give SAP_ALL to any user in the production environment.

Better practice is create independent roles for each functional position, atleast each functional module. There are lot of pre -defined roles in SAP at each process level. generate them and use.

if you want more details, pls. let me know.

award points if you are satisfied with my answer.

~Praveen

Former Member · ‎02-21-2008

Hi Praveen,

i want to assign assign profiles/roles in "DEV" system. can you suggest me what type roles i have to assign functionals and developers.

thanks

Ramesh

Former Member · ‎02-21-2008

Hi Ramesh

you should ask your developers for the transactions they want to run ...meaning day to day activities.

normally they use se37, ssdb, se38 etc..

you can make a role and assign the tcodes to the role and later assign this role to the user.

Like we have an HR implementation and here are some roles given to abapdev user.

SAP_BC_BMT_WFM_ADMIN

SAP_BC_BMT_WFM_DEVELOPER

SAP_BC_BMT_WFM_GP_ADMIN

SAP_BC_BMT_WFM_GP_SERVICE_USER

SAP_BC_BMT_WFM_UWL_ADMIN

SAP_BC_CM_ADMINISTRATOR

SAP_BC_EMPLOYEE

SAP_BC_ENDUSER

SAP_BPT_IMPLEMENTATION

SAP_EMPLOYEE_ERP

SAP_ESSUSER_ERP

SAP_HR_BN_HR-ADMINISTRATOR

SAP_HR_CM_BEN-COMP-MANAGER

SAP_HR_CM_SPECIALIST

SAP_HR_CPS_CO-ADMINISTRATOR

SAP_HR_CPS_HR-MANAGER

SAP_HR_CP_HR-MANAGER

SAP_HR_ECM_COMP_SPECIALIST

SAP_HR_EMPLOYEE_DE_ERP

SAP_HR_EMPLOYEE_US_ERP

SAP_HR_HAP_ADMINISTRATOR

SAP_HR_KM_INSTRUCTOR

SAP_HR_LSO_TRAININGMANAGER

also u can assign them custom roles.

similarly for functional people.

Hope this helps..

Former Member · ‎02-19-2008

Hi Ramesh,

Why use SU02 for this requirement when SAP has given something so convenient in PFCG.

If you know what to assign and what to restrict, create a new role using PFCG, use sap_all template, and restrict the tcodes using ranges. Here you can restrict the objects too based on the requirement. Another advantage is, you can then also set validity periods on this role assignment, as such a role is would be broad in nature.

This forum will give you immense threads on this.

Cheers

Abhishek

Think you should also be well versed by now which environments such a role is to be restricted

Edited by: Abhishek Belokar on Feb 19, 2008 7:28 PM

Edited by: Abhishek Belokar on Feb 19, 2008 7:58 PM

Former Member · ‎02-20-2008

Hi Ramesh,

I was facing the same issue which you are facing. I wasnt sure what T-codes the Functional Consultants needed access to and I did not want to give them sap_all. Here is what I did.

1. Created a role Z:Sap_All and copy sap_all profile in it.

2. Disabled all the Basis Objects (BC_A, BC_C, BC_Z) and left the rest enabled with full permissions.

Now, if any Functional Consultant needed access to some Basis Tcode (which they will, if this is for QA or Dev or if you haven't gone live), I just added it to the menu on request basis.

I know that this is not a very effective way of managing Security, but at least you do not have to worry about Function Consultants messing with Basis Tcodes. This also ensures that you have SOME amount of security if if you do not have much time to spend on it.

Kunal