Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP_All

Go to solution
Former Member

‎03-31-2009 8:37 AM

0 Kudos

Hi All,

How to create SAP_all profile by removing few t-code say like SPRO.

My question here is whether it is possible to edit the existing SAP_All profile ?

If possible I need to know how to do it?

Apperciate if you give other option without distrubing SAP_All.

Cheers!

Naveen

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎03-31-2009 5:05 PM

0 Kudos

Hi,

Use transaction su02 and copy the sap_all profile and edit as per requirement.

Regards,

Gowrinadh

6 REPLIES 6

Go to solution
Bernhard_SAP
Employee
Employee

‎03-31-2009 8:51 AM

0 Kudos

Hello Naveen,

editing SAP_ALL is not advisable, as SAP_ALL shall contain all authorizations. Furthermore it is regenerated atuomatically from time to time 8for instance after import of new authorization objects, etc.

More advisable is to create a copy of sap_all and modify its sub-profiles, or you create a sap_all-role by inserting the authorization data of sap_all into the empty profile of that role and modify then the values as per your needs.

I hope this information helps.

b.rgds, Bernhard

P.S.: if you search this forum for 'SAP_ALL' for instance, you will get some more useful information in the hits displayed.

Edited by: Bernhard Hochreiter on Mar 31, 2009 9:54 AM entered the 'P.S:'

Go to solution
Former Member

‎03-31-2009 5:05 PM

0 Kudos

Hi,

Use transaction su02 and copy the sap_all profile and edit as per requirement.

Regards,

Gowrinadh

Go to solution
Former Member

‎04-01-2009 12:06 PM

0 Kudos

I have a another suggestion

Instead of assigning profile to users why donu2019t we create role for SAP_ALL profile and then assign to user why because now we are following role based authorization we are not using profile based authorization after r/3 version 4.7

Go to T-Code PFCG

Directly go to authorization tab change authorization popup window will display from that select Profile SAP_ALL

Then restrict the authorization through objects we canu2019t remove T-Codes why because object S_TCODE contain * if we remove * we have to add all T-Codes ,so better restrict the authorizations through objects

Go to solution
jurjen_heeck
Active Contributor
In response to Former Member

‎04-01-2009 12:08 PM

0 Kudos

Isn't that exactly what Bernhard suggested when he wrote:

> or you create a sap_all-role by inserting the authorization data of sap_all into the empty profile of that role and modify then the values as per your needs.

Edited by: Jurjen Heeck on Apr 1, 2009 1:09 PM

Go to solution
Former Member
In response to Former Member

‎04-01-2009 12:39 PM

0 Kudos

Hi

Apperciate all for your valuable advise.I had a doubt while doing as per your advise.After copying the SAP_All,I have to eliminate the SPRO access now.So,I checked in SU24 what are the authorization object connected with SPRO.It displays a long list.I struck here which one need to considered or not.

Help me out of this!

Cheers!

Naveen

Go to solution
koehntopp
Product and Topic Expert
Product and Topic Expert
In response to Former Member

‎04-01-2009 1:42 PM

0 Kudos

OK, first of all, let me question the basic idea here (I can see some moderator colleagues rolling on the floor already...).

From what I read, you're ok with people being able to modify tables and run arbitrary reports, let alone mess up all business transactions, as long as they don't have access to customizing?

Sorry, but that makes no sense at all.

Constructive approach: what is that role supposed tobe used for...?

Frank.