cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Is there a way to assign Profile SAP_ALL to a user excluding SU01?

liyame
Explorer

on ‎08-29-2023 2:25 PM

0 Kudos

Hi everyone.

I'm a trainee for the SAP Basis and I've only been taught a few chosen parts of security as of now. Since my job is only about daily monitoring. But right now I've come across a requirement. I need to give SAP_ALL but excluding SU01 and other few chosen TCodes if asked in future. So, I've tried searching for it and came across the answers like creating a separate Role and choosing a template in the "change authorization tab" in PFCG. I guess this is how roles or profiles are copied.

I think I'm almost there but stuck at this point. Can someone please explain briefly how to restrict Tcode here? it would be really helpful. Also if there are any other ways to restrict or lock Tcodes l'd love to know those as well. Those would we useful if this doesn't work.

Thanks in Advance.
I would really Appreciate the help. 🙂

Show replies
Show replies
FredericGirod
Active Contributor
‎08-30-2023 6:27 AM

create a Z_SAP_ALL ..

Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

david-barba
Member
‎10-10-2023 10:36 AM
0 Kudos

Hi Ali, you shouldn't be copying auth from SAP_ALL, this is a highly restricted profile from SAP with all the authorizations open. You could use SAP_ALL for a test and perform a trace using STAUTHTRACE tcode to gather the authorizations needed and from there create a role with a profile to only the auth needed. This is one aproach from several (All of this on a Non-productive environment) . Additionally, there are templates from SAP to a variety of different profiles. SAP_ALL is a very powerfull, therefore, dangerous and risky profile, acces should be restricted to everyone.

As you mention you are new to security aspects for SAP, I highly recommend you to read ADM940, you'll find answers to all your security queries and more, it is fundamental to read this.

Show replies
Show replies
holm
Participant
‎08-30-2023 8:29 AM
0 Kudos

This approach makes no sense at all. There are 1000 ways to circumvent the few t-codes not being in the copied profile (e.g. call the report directly via se38, write a program, ...).

Roles always have to be built from scratch to be secure.

Show replies
Show replies
JoeyLi
Product and Topic Expert
Product and Topic Expert
‎08-30-2023 4:42 AM
0 Kudos

change authorization data

Show replies
Show replies
Ask a Question