Skip to Content
avatar image
Former Member

Configuring Solution Manager: Alternative Role to SAP_ALL

This is a general question regarding configuring Solution Manager and note 834534. I am configuring Solution Manager 7.0 at a client site. The main components that I am configuring are on the Monitoring and Operations side; for example, System Monitoring, Service Desk, Issue Management, and Change Management for Maintenance Optimizer. CHaRM will follow later on. Additionally, the client would like to use the project side of Solution Manager.

When I took training for Solution Manager from SAP, the SAP instructor advised the class to have SAP_ALL when configuring Solution Manager The problem I am having is that the client will not issue me SAP_ALL in the Solution Manager instance, regardless of the recommendation in note 834534. I can understand the client's reluctance to issue SAP_ALL, even though Solution Manager is not a financial system in of itself, however, I have found that I am constantly having to ask for authorizations as I step through the wizards and the Scenario-specific settings. When I run into issues which require further investigation by running transactions to check certain settings that are not specifically tiedd to a wizard or scenario-specific setting transaction, I run into further delays as I ask for additional authorizations to troubleshoot issues.

We have implemented the roles and assigned them to my ID in Solution Manager as outlined by the SAP Solution Manager Security Guide to the fullest extent possible; and I have been issued "Basis Roles" that the client issues to their Basis team. Regardless of these actions, I still run into authorization issues.

My question is, apart from the SAP Solution Manager Security Guides recommendations (which does not mention SAP_ALL), is there a role being developed, or has been developed that can be assigned to the Solution Manager configurator in lieu of SAP_ALL (as per note 834534)? I would think that this issue has been raised before, particularly since many companies have implemented SOX controls and are skittish about issuing SAP_ALL.

Your feedback is most appreciated.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • Best Answer
    avatar image
    Former Member
    Apr 28, 2009 at 06:11 PM

    we also dont have SAP_ALL as well and can work perfectly with SolMan

    you should check the WorkCenter documentations as per http://help.sap.com/saphelp_smehp1/helpdata/de/40/8ac473d40943ddb23def12bdb33437/frameset.htm

    Basically you can assign different Roles for the different WorkCenter Scenarios

    Also check #1236420

    https://websmp105.sap-ag.de/~sapidb/011000358700002004032008E

    Nesimi

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Nesimi,

      it's not that the consultants need SAP_ALL or don't understand the need for security, it's that they hate wasting all that time waiting for proper authorizations. :P

  • avatar image
    Former Member
    Apr 29, 2009 at 01:53 PM

    This is an explaination that I can swallow!

    Clearly, there is documentation out there which explains this, but it is scattered here and there and not consolidated and easily accessable. When undertaking a Solution Manager configuration mini-project at another client, they issued a profile that was informatlly called SAP_ALMOST_ALL, and as such, configuration was a non-issue. In this environment, there is no such role. Since that is the case, typically a configurator is going to look at the documentation contained in the IMG, and if that is not sufficient, a notes search quickly follows. For me, the IMG step "Create Configuation User" documentation said assign SAP_ALL, and the notes search turned up note 834534, which "confirmed" the documentaion.

    I think that in the final analysis, SAP_ALL from the documentation contained in note 834534 and in the IMG in particular is the "easy answer" from SAP, and does not get granular enough in today's corporate IT environment (i.e., SOX controls). Clearly, SAP's note and IMG documentation should be updated to reflect what is really needed and references to SAP_ALL should be taken out.

    The exercise we went through, since there is no SAP_ALMOST_ALL here ended up costing a fortune in the long run. This could have been avoided if the IMG documentation and note 834534 were written far more accurately.

    I appreciate your answer, that was good stuff.

    Thanks!

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hello Greg,

      please check out section 6.3.3 in the Security Guide for SAP Solution Manager EhP1 and SP19 on the Service MArketplace: http://service.sap.com/instguides -> SAP Components -> SAP Solution Manager.

      Here, you find a description of how you can build your own "Customizing" role based on an IMG project.

      In this case you could avoid SAP_ALL, but only for configuration purposes. Any further transactions than those included in IMG must be added to the according user in a separate additional role.

      Cheers,

      Annett

  • avatar image
    Former Member
    Apr 29, 2009 at 07:18 PM

    Actually, Jason hit the proverbial nail on the head. Apart from my harping on poor documentation from SAP (after all, it is they who say you "need" SAP_ALL in the IMG and in note 834534); but the time wasted decyphering what authorizations that are needed does waste alot of precious time, at the clients expense.

    I didn't "want" SAP_ALL, I was just going by the readily available documentation from SAP. The time I wasted researching this topic cost the client alot of money, and it cost me alot of money; since I did not bill for all the time that I spent researching ways around SAP's "recommendation of SAP_ALL. That time could have been spent actually configuring the system and delivering a product to my client.

    This is a prime example of how consultants can get a bad rap and get labeled as "over-paid", when it is not necessarily deserved.

    Thanks Jason!

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Apr 30, 2009 at 03:26 PM

    Just as a follow up for the community and to illustrate how there is no consensus on this topic...the following is a reply to the OSS message I placed and the response from SAP:

    Message 416354 / 2009

    30.04.2009 - 15:10:05 CET - Reply by SAP

    Dear Greg,

    No currently there are no plans to generate or create a role as parallelto SAP_ALL in Solution Manager.

    The note is still valid and you require SAP_ALL for configuring SolutionManager.

    With Warm Regards

    Amit Devale

    SAP Active Global Support - Netweaver Web Application Server

    Things that make you go, "hhhhmmmm......"

    Add comment
    10|10000 characters needed characters exceeded