03-31-2009 8:37 AM
Hi All,
How to create SAP_all profile by removing few t-code say like SPRO.
My question here is whether it is possible to edit the existing SAP_All profile ?
If possible I need to know how to do it?
Apperciate if you give other option without distrubing SAP_All.
Cheers!
Naveen
03-31-2009 5:05 PM
Hi,
Use transaction su02 and copy the sap_all profile and edit as per requirement.
Regards,
Gowrinadh
03-31-2009 8:51 AM
Hello Naveen,
editing SAP_ALL is not advisable, as SAP_ALL shall contain all authorizations. Furthermore it is regenerated atuomatically from time to time 8for instance after import of new authorization objects, etc.
More advisable is to create a copy of sap_all and modify its sub-profiles, or you create a sap_all-role by inserting the authorization data of sap_all into the empty profile of that role and modify then the values as per your needs.
I hope this information helps.
b.rgds, Bernhard
P.S.: if you search this forum for 'SAP_ALL' for instance, you will get some more useful information in the hits displayed.
Edited by: Bernhard Hochreiter on Mar 31, 2009 9:54 AM entered the 'P.S:'
03-31-2009 5:05 PM
Hi,
Use transaction su02 and copy the sap_all profile and edit as per requirement.
Regards,
Gowrinadh
04-01-2009 12:06 PM
I have a another suggestion
Instead of assigning profile to users why donu2019t we create role for SAP_ALL profile and then assign to user why because now we are following role based authorization we are not using profile based authorization after r/3 version 4.7
Go to T-Code PFCG
Directly go to authorization tab change authorization popup window will display from that select Profile SAP_ALL
Then restrict the authorization through objects we canu2019t remove T-Codes why because object S_TCODE contain * if we remove * we have to add all T-Codes ,so better restrict the authorizations through objects
04-01-2009 12:08 PM
Isn't that exactly what Bernhard suggested when he wrote:
> or you create a sap_all-role by inserting the authorization data of sap_all into the empty profile of that role and modify then the values as per your needs.
Edited by: Jurjen Heeck on Apr 1, 2009 1:09 PM
04-01-2009 12:39 PM
Hi
Apperciate all for your valuable advise.I had a doubt while doing as per your advise.After copying the SAP_All,I have to eliminate the SPRO access now.So,I checked in SU24 what are the authorization object connected with SPRO.It displays a long list.I struck here which one need to considered or not.
Help me out of this!
Cheers!
Naveen
04-01-2009 1:42 PM
OK, first of all, let me question the basic idea here (I can see some moderator colleagues rolling on the floor already...).
From what I read, you're ok with people being able to modify tables and run arbitrary reports, let alone mess up all business transactions, as long as they don't have access to customizing?
Sorry, but that makes no sense at all.
Constructive approach: what is that role supposed tobe used for...?
Frank.