Skip to Content
avatar image
Former Member

How to remove SPRO from SAP_ALL profile

Hi Friends,

Since my client needs access to SAP but we dont want to give them SPRO Tcode authorization.

So i would like to have your advice on that so as wht to be done and how can we create a profile without SPRO Tcode.

Regards

Ayush

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • avatar image
    Former Member
    Jul 07, 2008 at 12:23 PM

    Hi,

    you can give tcode range in PFCG in auth object S_TCODE

    Or you can give alphabet range

    a* to so*

    spa* to spq*

    spra* to sprn*

    sprp* to z*

    hope this helps

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi Ayush,

      > I think its not that difficult, although i dont know this.

      This is perhaps close to what the people who tell you they have made SAP_ALL profile without SPRO... are thinking but not knowing, or perhaps not...

      If you only restrict S_TCODE and leave the authorizations as those of SAP_ALL for all other objects, the user with that role will bypass all your security in many ways. For one example, they could simply give themselves SAP_ALL as profile again, or even do it in virtually invisible ways which you have hardly any chance of finding.

      I make another bet with you: If you restrict the access by building a role from specific transactions only and restrict all the objects to what they only really need, then they will next ask for a Display-only SPRO role... and if you copy SAP_ALL without SPRO and monitor your security audit log, you will sooner or later find successfull transaction starts which are SPRO related. Most likely it will be some combination of both = both "SAP_ALL without SPRO" role and "SPRO diplay only" role assigned to the same user....

      Hope that helps you,

      Julius

  • Jul 07, 2008 at 12:24 PM

    This question pops up every 3 months or so; both here on SDN and in real life.

    In short, no-one should be assigned SAP_ALL, so the question "how to give SAP_ALL without SPRO" is not really relevant. What is needed is a decent role allowing for displaying the IMG without actually messing anything up, right?

    Unfortunately, SPRO in itself is just a menu... by clicking the menu options in the SPRO tree, you activate hundreds of other transactions, each with it's own authorization objects. Because of this, it wouldn't really make sense to just remove "SPRO" from any role; you'd also have to take out everything behind the scenes (or under the hood).

    Not sure if this resolves your problem, but as stated above, the request is somewhat misguided in the first place, which is a fair enough reply to your managers... 😉

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jul 07, 2008 at 12:33 PM

    > Since my client needs access to SAP but we dont want to give them SPRO Tcode authorization.

    > So i would like to have your advice on that so as wht to be done and how can we create a profile without SPRO Tcode.

    Your topic subject is a bit misleading. The only proper answer to the question in your message should be (in my opinion) to ask the client what he does need and build a role based on this information.

    As already pointed out, the SPRO tcode only leads to a menu. Taking only that away is like telling someone to hand over the front door key but letting him keep all other keys to the building... I think no-one needs all keys in the first place.

    Jurjen

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Thanks friends,

      I am still lurking with a doubt as what should be done to remove the SPRO access from a Role.

      1. My client wants me to design Role that has got all the MM related Tcodes or rather i should say everything related to MM domain should be there.

      I tried making a role with handful of Tcodes but later he tried executing tcodes which were actually not there in the role. so later he was getting access denied.

      2. Now my colleagues who are SAP Consultants want me to design a copy of SAP_ALL delimiting the access to SPRO.

      Since its quite critical i wanted to help me out..

      Regards

      Ayush

  • avatar image
    Former Member
    Jul 11, 2008 at 07:00 AM

    I would suggest the best way of designing a role that has access to all standard delivered SAP tcodes but not customizing tcodes would be to download the list of tcodes from TSTC tables. In the selection screen you can exclude from selection the tcodes like O* and SPRO. And also maybe tcodes for function modules you are not interested in.

    Download the list to an excel file and and the add them manually to the new role.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Bernhard Hochreiter

      >

      > I think after some hours of work you will stop again....

      I believe that is the first step in the above mentioned Mikado game. Also known as "short dump"... 😊

      Cheers,

      Julius