Skip to Content
avatar image
Former Member

how to restrict without role

Hi to every one,

i want to know one of our user having sap_all &sap_new profile.

so that is super user .

if i want to restrict for some tcode like sm12,sm04,st02and etc.

without assigning any role ....

means if i create role then it will not be the solution because user eant all authorization except sm12 ,sm04 and st02.

so guide me what should be the way to do so.

Regards

Dik

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • Best Answer
    avatar image
    Former Member
    Feb 06, 2009 at 07:13 PM

    >

    > Hi to every one,

    > i want to know one of our user having sap_all &sap_new profile.

    > so that is super user .

    > if i want to restrict for some tcode like sm12,sm04,st02and etc.

    > without assigning any role ....

    > means if i create role then it will not be the solution because user eant all authorization except sm12 ,sm04 and st02.

    > so guide me what should be the way to do so.

    > Regards

    > Dik

    If I understand your question completely you need a role with access to SAP_All but want to remove few t-codes like SM12, SM04 etc.

    Well this can be done but roles like these are clumsy. Anyway here is one way.

    1> Create a role and do not add anything in the menu tab. Straight away go to Authorization tab and select the SAP template for SAP_ALL.

    2> It will insert all Authorizations to the role. Now search for S_TCODE. Notice it is added manually.

    3> It will have * in TCD field, which means access to all t-code. Now instead of * you can select the range like 0-9* , A* - N, etc ....as good practise you do not give S, O*, PFCG etc .....or you want it to be more granular like no access to SM12 then check the t-code before SM12 and after SM12. Give the range excluding SM12.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Guys

      the whole question is a joke!

      first of all the question is how to restict Whithout role, so the answer is simply YOU CANNOT!

      secondly all other answers and responses lead to one conclusion the person who asked this has no experience what so ever with roles and building of roles, so please attend a security course with SAP!

      Or read authorisations made easy available form Amazon.com.

      In that book there is a complete description of how to build a role called Company_all from the SAP_ALL profile and how to restrict that to your own needs!

  • avatar image
    Former Member
    Feb 06, 2009 at 09:10 AM

    Read the sticky thread and/or use the search.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Feb 06, 2009 at 09:49 AM

    first of all take away SAP_ALL as there is NO Reason anyone should have this,

    secondly discuss with user what access is really needed and creat a role or roles for that.

    Never trust a user that can not tell you what transactions he/she needs for their job!

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Feb 06, 2009 at 01:30 PM

    Hello,

    Any roles which have * authorization can easily over write other restrictions. My suggestion is remove e these type of roles from user profile and give access to necessary tcode only.

    Regards,

    Geetha

    Add comment
    10|10000 characters needed characters exceeded