Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP_ALL usage

Go to solution
former_member586384
Explorer

‎06-22-2009 7:27 PM

0 Kudos

Hello ,

I want to know the main usage of SAP_ALL profile for RFC communications

(other than Basis work).

Can it be used for all RFC/ALE ids in production systems ?

Can SAP_ALL be a firefighter profile for dialog users (emergency

access) ?

Can SAP_ALL be given to Batch ids ?

Thanks in advance,

1 ACCEPTED SOLUTION

Go to solution
sdipanjan
Active Contributor

‎06-22-2009 7:30 PM

0 Kudos

>

> I want to know the main usage of SAP_ALL profile for RFC communications

> (other than Basis work).

>

No.. not needed.

> Can it be used for all RFC/ALE ids in production systems ?

>

No.. not needed.

> Can SAP_ALL be a firefighter profile for dialog users (emergency

> access) ?

>

Yes.. current audit scenario also tells not to use SAP_ALL for emergency users too..

> Can SAP_ALL be given to Batch ids ?

>

No.. not needed.

4 REPLIES 4

Go to solution
sdipanjan
Active Contributor

‎06-22-2009 7:30 PM

0 Kudos

>

> I want to know the main usage of SAP_ALL profile for RFC communications

> (other than Basis work).

>

No.. not needed.

> Can it be used for all RFC/ALE ids in production systems ?

>

No.. not needed.

> Can SAP_ALL be a firefighter profile for dialog users (emergency

> access) ?

>

Yes.. current audit scenario also tells not to use SAP_ALL for emergency users too..

> Can SAP_ALL be given to Batch ids ?

>

No.. not needed.

Go to solution
Former Member

‎06-22-2009 8:40 PM

0 Kudos

Theoretically you can, but Dipanjan's answer is much more secure...

I think a License by Authority model would not sell very well, but would also be much more secure and authorizations would be more realistic for some of the user classes you have mentioned.

Cheers,

Julius

Go to solution
Former Member

‎06-23-2009 2:11 PM

0 Kudos

Hi ,

I production system no user should have SAP_ALL profile except the OSS ids. If no specific role was created within the system for some particular access, SAP_ALL can be provided with limited validity.. but for audit issue, Security log(SM20 log) should be taken for that time period.

Also I would prefer to run ST01 trace against the user id to know the what authorizations are required to do the specific job.. Then proper role should be created as per requirement to avoid assignment of SAP_ALL profile. This new role can be used for emergency access.

Also for interface users also, assignment of SAP_ALL should be avoide.. Here also you should take trace against the interface user. In that case, you need to run the trace in both the systems where they are working.

But please note that running of trace may slow down the system performance.. So try to run trace when system load is minimum and try to run it only for the time when the user id is used.

Regards,

Sandip.

Go to solution
Former Member
In response to Former Member

‎07-19-2009 9:43 PM

0 Kudos

This message was moderated.