Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

access via profile

Former Member

‎11-02-2010 10:40 AM

0 Kudos

Hi,

While auditing security at a company I noted that there was a user which had a non standard SAP_ALL equivalent profile assigned to it on profile tab of the user master (SU01). The assignment of this profile is not due to assignment of a role to user. (*Generally profiles are assigned to user by SAP automatically when user is assigned a role.*) The client informed me that this profile is old profile and was discarded long ago. May be this profile was existing in systems before 4.6c and has got to the user during upgrade.

This profile apparently provides the access to t code in question and client says that this profile is SAP_ALL equivalent so the user should have all access if this profile is effective. Client created another user before me using exact same access as old user and entered the t code in question for execution. The message was- u201CYou are not authorizedu2026.u201D Client says the profile so assigned to user does not provide any access to user since there is no matching role for this profile in user mater records.

Question:

My understanding was that a profile provides access to a user in SAP. Role is for general end users for ease of understanding and maintenance. If so, why in this case user does not have SAP_ALL access even if he has SAP_ALL equivalent non standard SAP profile.

Thank you,

Partha

6 REPLIES 6

Former Member

‎11-02-2010 10:48 AM

0 Kudos

Hi Parthasarathy,

The SAP_ALL is a composite profile which gives authorization to all the tcodes/authorizations in SAP. However, the non standard SAP profile that you are referring to might be a restricted one and is not allowing the user to execute some of the tcodes. Hence, the "you are not authoriozed" to error is.

Further, please note that the roles are not for end users. The roles helps to maintain and secure the SAP system more securely when compared to the old profile administration. It is now easy to add/remove tcodes, reports, etc in a role and generate a profile with the respective authorization objects. The PFCG tool will help the admins to get the corresponding auth objects in to the profile.

I recommend you to verify the non standard SAP profile and see what restrictions are applied.

Also, it is not recommended to assign SAP_ALL to any users now. The alternative to provide sensitive tcode access is using the SPM application.

Hope this helps!!

Warm Rgds,

Raghu

Former Member

‎11-02-2010 10:50 AM

0 Kudos

You can assign profiles to the users aswell.

If you have assigned sap_all profile mean this user has access to all the tcodes. When you assigned the SAP_ALL profile to user have logged of and again logon?

Former Member

‎11-02-2010 4:50 PM

0 Kudos 
The message was- u201CYou are not authorizedu2026.u201D Client says the profile so assigned to user does not provide any access to user since there is no matching role for this profile in user mater records.

Are you trying to assign a profile that was generated for a role?? If yes, the assignment is incorrect. You should assign a role directly. If no, find out the transaction codes that the user can execute with a profile from SUIM transaction code.

Hope this clarifies.

Regards,

Raghu

Former Member
In response to Former Member

‎11-02-2010 7:44 PM

0 Kudos

Hi

I'm curious...never did use the pre-PFCG profiles, what would happen if you created a blank role and added the profile to the auths tab (with a suitable description) and saved the role? Would you find the tcodes etc in the auths tab - i.e. the profile generator works in reverse. Can't see it happening but it's worth a few minutes.

I'll have a look tomorrow if I get a chance...sorry - not an answer - just interested

Cheers

David

Former Member

‎11-03-2010 4:07 AM

0 Kudos

check in client system if PFCG_TIME_DEPENDENCY was running (sm37)

it removes such invalid profiles.

regards,

Surpreet

dieter_goedel
Advisor
Advisor

‎11-03-2010 5:21 AM

0 Kudos

Hello Parta,

the classic - profile based - authorization concept is already runing. It's not important if a user is granted by a manual maintained profile (single or generated) or via an generated profile.

The only facts are, that you can not maintain generated profiles in SU02 and that PFUD deletes manualy assigned generated profiles from the user.

To get the real picture form the crazy case you can use transaction SU56 - here you get the list of all assigned authorizations of a user. It's a good way to get a final picture :-).

By the way if you are the auditor - do you already verify the changes in tables PRGN_CUST and USREFUS?

Best regards,

Dieter.