SAP_ALL Minus HR Roles

Hi...
My requirement is to provide the Full access but with out All HR authorizations for few users.
That means it's like I need to create a Role SAP_ALL Minus(-) HR_ALL Authorizations
Is there any Standard Role for this Or any way to create the role with the above requirement.
Thanks in advance..
Handhu
Edited by: Haranadha Babu Gurajada on Apr 2, 2009 7:26 AM
Edited by: Haranadha Babu Gurajada on Apr 2, 2009 7:28 AM

Hi,
SAP_ALL consists of all the profiles
create a new role and assign all the profiles except HR profiles this would take time.
this is the only way..
REgards,
Nitin

Similar Messages

  • SAP_ALL minus SPRO

    Hello,
    I need to give 20 users access to SAP_ALL, but restrict access to Transaction SPRO.
    Please provide an efficient method to do this.
    Thanks.

    Ravi Kumar wrote:>
    > Hi Gautam,
    >
    > try the below procedure:
    >
    > Create a role in PFCG and save it.
    > Go to authorizations tab and select 'expert mode'.
    > Select SAP_ALL template and click 'adopt reference'.
    > Save, generate, then find S_TCODE object and change values to 0-SPRN, SPRP-Z
    > Save, generate again.
    >
    >
    > Regards
    > Ravi
    >
    > P.S: Reward points if useful
    That will only provide superficial restriction over running SPRO
    By modifying SAP_ALL, there is nothing stopping me doing something like adding SAPLS_IMG_TOOL_5 to a custom tx (no dev key needed)......

  • How to create SAP_ALL Display Role without HR Transactions.

    Hi,
    Can someone help mem create an SAP_ALL Display only Role without HR Transactions.
    It takes lot of time to create a New role with SAP_ALL Template and manually change the Activity to display and de-activate HR Objects.
    Please let me know if there is any faster way to do this.
    Regards,
    MASQ.

    > Please let me know if there is any faster way to do this.
    Nope, there isn't. Besides that, only changing activity fields will not result in a display-only role. As said, please use the search and browse through the sticky threads.

  • Create a role with everything except parameterization option

    Hello,
    We need to create a new role with all object except parameterization
    option.
    How we can create it?
    Best regards,
    Julene González

    I had no idea that we had discussed SPRO that often...
    As you can see from the thread Alex pointed out ( [this one|https://forums.sdn.sap.com/click.jspa?searchID=19779873&messageID=6581648] ) it is also usefull to know which system in the landscape this role is destined for.
    Assuming this is for the QAS system, why don't you identify all the business roles for the production system (those which do not permit customizing in production either, nor user admin and other "basis" tasks, nor development work...etc...) and assign them all to the users (I assume these are support users).
    They should be in QAS already, and if your client settings are correct (T), you will experience the same or a very similar result.
    Of course they won't have "SAP_ALL minus SPRO", but they will have what you are actually using for the "real users"... in production (except it will be in QAS).
    That way they have also have a more realistic testing experience with the correct roles (only).
    Just a thought,
    Julius

  • Role to access administration tab in PI  login page

    Hello
    would you please let me know which standard  role should be defined to accesss administration tab in login page .
    I am getting error as " you are not authorised"

    Hi Kumar,
    You may use the PISUPER user to acces that or provide the SAP_ALL authorization or role "SAP_XI_ADMINISTRATOR_J2EE".
    More information about roles and users:
    http://help.sap.com/saphelp_nwpi71/helpdata/en/9f/d12940cbf2195de10000000a1550b0/frameset.htm
    Regards,
    Caio

  • How to add profiles to critical roles & profiles table in GRC RAR

    Hello,
    As per Note# 1034117, it says Add "SAP_ALL" type security roles and the SAP profiles, see list below for profiles, to the Critical Roles and Critical Profiles table.
    SAP_ALL All Authorizations For The SAP System
    SAP_NEW All Authorizations For Newly Created Objects
    S_A.ADMIN Basis Operator
    How do we add the profiles, to the Critical Roles and Critical Profiles table in RAR.
    Thanks,

    Hi,
    I configured the critical roles & profiles in rule architect.
    But when I schedule the background job for batch risk analysis, it is taking all the users, roles & profiles.
    Is there a way to exclude users, roles & profiles? (I have already configured the excluded users, roles and profiles in exclude option), but still when I schedule the background job and say show parameter, it shows the User Range as '*'. It is not showing the excluded users.
    Can you please update how to exclude the list of users, from the batch risk analysis?
    Thanks,

  • Resource Tab Create/delete/Display role is not active

    Dear Friends,
    I have been trying to work on cprojects 4.0, i encountered one issues. I tried exploring all the threads on the forum related this issue, but i could not find any resource related this issue.
    in Resource Tab Create/delete/Display role is not active, they are grayed out.
    I have maintained all the authorization
    1. Roles for my user id are:
    SAP_CPR_PROJECT_ADMINISTRATOR
    SAP_CPR_PROJECT_LEAD
    SAP_CPR_USER
    i also have SAP_ALL
    0SAP_ADMIN Project Role 'Administration'
    Default Authorization : ResMan,Write
    Z13_CONSULTANT Consultant
    Default Authorization : ResMan,Write
    Z13_DEVELOPER Developer
    Default Authorization : ResMan,Write
    Z13_PROJEKTLEIT Project Manager
    Kindly request your valuable inputs.
    Thanks and Regards
    Mukesh

    Hi Mukesh,
    Please go to following SPRO setting:
    Collaboration Projects -> Resource management -> Qualification Management ->  Activate Qualification Search and Matchup Using WFM Core
    Delete the X under Value abbr. for Group WFM and Sem. abbr. QUINC. This will deactivate use of WFM.
    Hope this resolves your problem.
    Regards,
    Niraj

  • Ability to filter gateway logging and simulate "go lives"...

    Dear gurus,
    For those of you have attempted to maintain secinfo and reginfo files (and now any proxy and message servicer ACLs) the subject title should be enough said.
    The local and internal contexts account for 99% of the starting and registering of external programs. These create a huge amount of racket in the logging and in the case of secinfo dont give you the USER-HOST unless you activate additional filters, which effectively doubles the trace logging file size.
    I would like to create a "functionality wishlist" in the wikis for two new features, but first wanted to test the ideas here and see whether there is agreement:
    1) gw/ignore_info parameter
    A file which allows certain entries not to be logged, particularly the "local" and "internal" HOST and USER-HOST entries which are anyway contained by the authorization conceot for transactions such as STMS and SM69 and SM37 (as well as some function modules which respect the application concepts, such as SXPG FMs).
    This would mean one can only log (and have to read...) exceptions which are truely started or registered remotely!
    2) gw/simulate_info parameter
    A file which can represent the secinfo and reginfo files to show what would have happened if the real files were active.
    The problem is that one cannot realistically test and let alone transport the files from DEV to QAS to PROD. You have to take risks when going live in PROD as the partners and jobs and various other dependencies (call backs) only happen there. Customers are very scraed of such Go-Lives regardless of the support offered (I sometimes spend the night clicking on a refresh button...). The ability to simulate the affect of an active secinfo and reginfo would be very cool.
    Any support? If I have a few "thumbs up" then I will create a wiki for it after some discussion about whether a better approach is possible.
    For sure something needs to be done, as if client systems using outbound gateway registrations fail to accept critical business data which then creates inconsistencies (customers hate that, even the thought of it!) then there is most likely no second chance to secure the gateway or RFC in general again.
    Aye or nay or better suggestion?
    Cheers,
    Julius

    What irritates me most is assumption security = SoD.
    I try my best to move those to the GRC forum without delays... You can however also control many non-application specific parts of a SAP system from ABAP transactions and these are controlled by ABAP authorizations. ABAP is very powerful... A few examples are SE14, SM69 and (revelant to this example) also SMGW to transfer the control to the application layer by forcing it (local context of the USER-HOST). So authorizations are also important and omni-present (execpt for the config tool on the Java Stack...
    While I am ranting another one is when you define your roles you are done with security for next 5 years and there is no need for budget. Who cares about patch Tuesdays and many other things.
    A classic example of such a "5 year works out of the box" example, is a SAP_ALL minus a few things type role (imported manual authorizations into the role from SAP_ALL). That is a snapshot of SAP_ALL and any new objects introduced (with proposals introduced hopefully as well in SU24) will be unknown to it when you apply Support Packs or upgrade or add custom checks. It is bound to fail sooner or later, even although you think it cannot go wrong. A proliferation of SAP_NEW is a nice example of the symptom.
    Currently the new object S_RO_OSOA is causing all sorts of havoc in this area (woth keepng an eye out for that one if it has not confronted you yet!) ....
    Cheers,
    Julius

  • Error in MSS HCM Processes and Forms Overview

    Hi all,
    Currently we are working on ESS/MSS from NW 7.3 portal.
    When i open HCM Processes and Forms Overview from MSS, it prompt me to change the password again and again.
    And on some user HCM Processes and Forms Overview not shown properly.
    Error while processing your query
    What has happened?
    The URL call http://<host name>:1080/sap/bc/webdynpro/sap/asr_pa_pd_processes_display was terminated because of an error.
    Note
    The following error occurred in system BEQ : Parameter has invalid value: Parameter TSTMP1 has invalid value 0 .
    The error occurred on application server MUMSAP02_BEQ_00 and in work process 8 .
    The termination type was: RABAX_STATE
    The ABAP call stack was:
    Method: SUBTRACT of program CL_ABAP_TSTMP=================CP
    Method: SUBTRACT_TIMESTAMPS of program CL_HRASR00_PROCESS_UTILITIES==CP
    Method: GET_CURRENT_TIME_DATA of program CL_HRASR00_PROCESS_UTILITIES==CP
    Method: START_TRACKING of program /1BCWDY/LA89BHH7CSECCUXGQD7Z==CP
    Method: IF_COMPONENTCONTROLLER~START_TRACKING of program /1BCWDY/LA89BHH7CSECCUXGQD7Z==CP
    Method: HANDLEDEFAULT of program /1BCWDY/LA89BHH7CSECCUXGQD7Z==CP
    Method: HANDLEDEFAULT of program /1BCWDY/LA89BHH7CSECCUXGQD7Z==CP
    Method: IF_WDR_VIEW_DELEGATE~WD_INVOKE_EVENT_HANDLER of program /1BCWDY/LA89BHH7CSECCUXGQD7Z==CP
    Method: INVOKE_EVENTHANDLER of program CL_WDR_DELEGATING_IF_VIEW=====CP
    Method: DISPLAY_TOPLEVEL_COMPONENT of program CL_WDR_CLIENT_COMPONENT=======CP
    What can I do?
    If the termination type is RABAX_STATE, you will find more information on the cause of termination in system BEQ in transaction ST22.
    If the termination type is ABORT_MESSAGE_STATE, you will find more information on the cause of termination on the application server MUMSAP02_BEQ_00 in transaction SM21.
    If the termination type is ERROR_MESSAGE_STATE, you can search for further information in the trace file for the work process 8 in transaction ST11 on the application server. MUMSAP02_BEQ_00 . You may also need to analyze the trace files of other work processes.
    If you do not yet have a user ID, contact your system adminmistrator.
    Error Code: ICF-IE-http -c: 350 -u: ISHAJI -l: E -s: BEQ -i: MUMSAP02_BEQ_00 -w: 8 -d: 20130514 -t: 133514 -v: RABAX_STATE -e: UNCAUGHT_EXCEPTION -X: D4AE5218F8121ED2AF8DA00F61FBEAC0_D4AE5218F8121ED2AF8DA00F5D19EAC0_1 -x: 006DBCE20F7BF1E58AC0D4AE5218F812
    HTTP 500 - Internal Server Error
    Your SAP Internet Communication Framework Team
    Please suggest me the solution.
    Regards,
    Devendra

    Dear Andrea,
    I reset the password of backend user and gave sap_all and sap_new role.
    Last time it prompt the screen in mss as to change the password. (See above screen shot).
    But after reset the password...error showing instead of login screen in mss as below:
    Error while processing your query
    What has happened?
    The URL call http://<host name>:1080/sap/bc/webdynpro/sap/asr_pa_pd_processes_display was terminated because of an error.
    Note
    The following error occurred in system BEQ : Parameter has invalid value: Parameter TSTMP1 has invalid value 0 .  
    The error occurred on application server MUMSAP02_BEQ_00 and in work process 7 .
    The termination type was: RABAX_STATE
    The ABAP call stack was:
    Method: SUBTRACT of program CL_ABAP_TSTMP=================CP
    Method: SUBTRACT_TIMESTAMPS of program CL_HRASR00_PROCESS_UTILITIES==CP
    Method: GET_CURRENT_TIME_DATA of program CL_HRASR00_PROCESS_UTILITIES==CP
    Method: START_TRACKING of program /1BCWDY/LA89BHH7CSECCUXGQD7Z==CP
    Method: IF_COMPONENTCONTROLLER~START_TRACKING of program /1BCWDY/LA89BHH7CSECCUXGQD7Z==CP
    Method: HANDLEDEFAULT of program /1BCWDY/LA89BHH7CSECCUXGQD7Z==CP
    Method: HANDLEDEFAULT of program /1BCWDY/LA89BHH7CSECCUXGQD7Z==CP
    Method: IF_WDR_VIEW_DELEGATE~WD_INVOKE_EVENT_HANDLER of program /1BCWDY/LA89BHH7CSECCUXGQD7Z==CP
    Method: INVOKE_EVENTHANDLER of program CL_WDR_DELEGATING_IF_VIEW=====CP
    Method: DISPLAY_TOPLEVEL_COMPONENT of program CL_WDR_CLIENT_COMPONENT=======CP
       What can I do?
    If the termination type is RABAX_STATE, you will find more information on the cause of termination in system BEQ in transaction ST22.
    If the termination type is ABORT_MESSAGE_STATE, you will find more information on the cause of termination on the application server MUMSAP02_BEQ_00 in transaction SM21.
    If the termination type is ERROR_MESSAGE_STATE, you can search for further information in the trace file for the work process 7 in transaction ST11 on the application server. MUMSAP02_BEQ_00 . You may also need to analyze the trace files of other work processes.
    If you do not yet have a user ID, contact your system adminmistrator.
    Error Code: ICF-IE-http -c: 350 -u: IKHASU -l: E -s: BEQ -i: MUMSAP02_BEQ_00 -w: 7 -d: 20130514 -t: 175940 -v: RABAX_STATE -e: UNCAUGHT_EXCEPTION -X: D4AE5218F8121ED2AF923E065A39EAC0_D4AE5218F8121ED2AF923E394271EAC0_1 -x: F091BCE2D132F1D58AC0D4AE5218F812
    HTTP 500 - Internal Server Error
    Your SAP Internet Communication Framework Team
    I checked log in ST22 as below
    What happened?
        The exception 'CX_PARAMETER_INVALID_RANGE' was raised, but it was not caught
         anywhere along
        the call hierarchy.
        Since exceptions represent error situations and this error was not
        adequately responded to, the running ABAP program
         'CL_ABAP_TSTMP=================CP' has to be
        terminated.
    Error analysis
        An exception occurred that is explained in detail below.
        The exception, which is assigned to class 'CX_PARAMETER_INVALID_RANGE', was not
         caught in
        procedure "SUBTRACT_TIMESTAMPS" "(METHOD)", nor was it propagated by a RAISING
         clause.
        Since the caller of the procedure could not have anticipated that the
        exception would occur, the current program is terminated.
        The reason for the exception is:
        Parameter has invalid value: Parameter TSTMP1 has invalid value 0.
    Regards,
    Devendra

  • Problem in Logon to Shop Admin in CRM 5.0

    Dear All,
    Need some urgent help.
    We are on CRM ISA MSA 5.0 & on HP-UX 11.11.
    We are facing a problem in our CRM box due to which we are unable to proceed further. We have our CRM IST box (CRI) in which we need to configure the shop admin.
    In our CRM dev box (CRD), the link works, opens fine and we are able to login with the username and password with the shop admin rights.
    But when we are accessing our CRI boxs shop admin, (our CRM IST box is a copy of CRM Production system), with the same and even more admin rights$ ( the user has all the java admin and sap_all & sap_new profiles/roles), it says "Logon is invalid; check your entries" even though are user details are absolutely correct as we are able to login with the same username and password in the SAPGUI.
    My question is what could be the issue?
    1. Do we need to do anysettings in XCM? The jco connection is set properly. I am able to see the first page of the webhop but not able to log in. I have switched on the authorization trace on the CRM system as well, but there no authorization issues.
    2. Even in visual admin, the application is up and running. Is there any setting to be done here?
    Please help me out of this issue.
    Thanks & wil lsurely reward points for any hints.
    Thanks a lot in advance for your help.
    Warm Regards,
    Rajeet
    +41 79 328 8454 (cell)

    Hi All,
    If the J2EE used to run before it can not be a cse of wrong parameters in SMICM,
    Are you aware if during satrt up there were some bulky data getting processed??
    Some time this happens.., probably cheking the start up log can be a good idea.
    Another restart will do the trick it the Log does not give any thing specific.
    You can open a Customer message as well for SAP
    Regards
    Piyush

  • Transactional access to Communications and System ID

    Hello Experts,
    Can the communications Id execute transactions in SAP other than performing RFC execution?
    Is it a suggested solution to let these non-dialog id's have transactional access from Audit perspective?
    Appreciate your inputs.
    Regards,
    Sandeep

    Sandeep,
    Communication users and system users are both non-interactive accounts. I
    consistently use system accounts. I found that communication accounts need to have their password changed on first logon, which is somewhat cumbersome with a non-dialog account....
    If you notice RFC user profiles, they usually have SAP_ALL ,SAP_NEW. __There are able to execute the transactions_.
    There are reasons for denying SAP_ALL in PS environment.
    no-one should have this in any system. SAP_ALL enables you to 'jump'
    systems using - for example - tx. SM59. they might in this way also jump to
    your PRD system AND -depending on the authorizations of the SM59 user- might then have another SAP_ALL again. this is not to be tolerated.
    If you are giving SAP_ALL in production for RFC users,then u need to convenice the aduitors.
    other Options for SAP_ALL is _firefighter role
    Communication
      For this kind of users:-
      GUI login is not possible.
      Users are allowed to change password through some software in middle tier.
      Usage:- These are used for login to system through external systems like web application
    System :
    GUI login is not possible.
      Initial password and expiration of passowrd are not checked.
      Usage:- These are used for internal use in system like background jobs.
    Service:
    GUI login is possible.
      Initial password and expiration of passowrd are not checked.
      Multiple logins are allowed.
      Users are not allowed to change the password. Only admin can change the password
      Usage:- These are used for anonymous users. This type of users should be given minimum authorization.
    dialog & service both are same,only difference in service user type is No password expiry.
    still user is able to logon thry GUI.
    Thanks,
    Sri

  • Exception Class CX_BSP_WD_HTTP_RESPONSE_ERROR

    Hi,
    In my scenario i am having two different application server aap1 and aap2 , and the SICF settings are already maintained as per the sap note.
    I am having SAP_ALL and SAPNEW roles assigned to me, now when I am using IC_AGENT role I am getting this particular error.
    Request you to please suggest what can be done.
    Regards,
    Mayank

    Mayank,
    This could be for any number of reasons. Could you paste the full error text?
    meanwhile, go through [this thread|Re: CRM URL Exception -- SICF??; which discusses SAP Note 857535.
    Also go through Note 1435887 - Problems when loading runtime repositories. Also, try going  to transaction SAAB and activating checkgroup BSP_WD_EXCEPTION_DISPLAY and see the log there when the error reoccurs

  • Security profiles for configurators and developers

    hello experts,
    is there a generic (standard) profile for:
    1) functional configurators that are not allowed to touch development objects, and
    2) developers that are not allowed to perform functional configuration?
    I am familiar with the S_DEVELOP authorization object; is there a way to exclude the customizing tables from the list of objects?

    Tiberiu,
    You cannot disable (deactivate) them all at once. You will need to disable 1 object at a time. Like I said, this option is cumbersome, but it will make sure that your Functional Consultants do not have access to Basis Objects and still have access to all the Functional ones.
    In case you are not aware of how to copy sap_all in a role, do this.
    1 Create a role using PFCG
    2. Go to the Authorizations tab
    3. Click change
    4. Copy sap_all from the list of profiles that you will get.
    5 To disable, you will need to go to each object and click on the small green rectangle/square to the left. It will say "deactivate" if you place your mouse cursor on it.
    A few more comments/suggestions from my side
    Workout with your team to whom you want to provide the access.Let them(functional team) come with what access they need and accordingly provide the access.
    If you can do that, great ! If the Functional Team members are non-cooperative, then you don't really have a choice. Again, if this is a Prod system, don't do what I said. That is too liberal an access. If it is Dev it should be okay. QA is also debatable.
    Inactivate the objects which are not needed and provide display activity for the objects which you are not sure.
    I would say disable the objects that you are not sure about rathar than giving Display access. Display access to S_TABU_DIS can be an audit issue in some cases.
    There will still be some authorization issues since some transactions change tables. But you can always add the ones needed.
    Kunal

  • ESS team claendar appears extremely slow

    Hello,
    we use employee self services with a SAP NetWeaver Portal 7.0.
    A few days ago we installed patch level 38 to our SAP HR 600. Since then the team calendar view in our portal appears extremely slow.
    We get no error message and the leaving times and names of clerks in our departmens are shown but it takes several minutes - before it was viewn within a few seconds.
    Other functions, for example creating a leave request, work fine and in normal time.
    Does anyone here have this issue or an idea how to solve it, too?
    Kind regards,
    Marco

    Hey colleague,
    Maybe you have created an inconsistency on your support package levels. Check my wiki page to see if you are fulfilling all requirements of the SP stack you are:
    https://www.sdn.sap.com/irj/scn/wiki?path=/display/profile/marcio+leoni
    As well, try runnin db statistics for the HRP tables, also try to reproduce the issue using a "clean user". Only with SAP_ALL and SUPER_ADMIN roles...
    Cheers,
    Márcio

  • Purchaser cannot process SHC in SOCO for SRM 7.0

    Hi Experts,
    Please note that we are using SRM 7.0 with ECC 6.0 latest version.
    We are having following issue in accessing Sourcing **** pit SHC.
    1) Employee creates SHC.SHC is approved.
    2) Purchaser try to assign source of supply during carry out sourcing,but when Purchaser selects SHC and clicks on next,
    SRM is giving the following message.
    "The attributes of the user are inconsistent or not defined. See transaction PPOMA_BBP".
    When we check for org and user attributes,everything is fine(green).
    For Purchaser,we have both ST and OP purchaser in both GUI and Portal.
    Interestingly,
    1) If we give purchaser SAP_ALL profile,we will not get the above error.
    2) If we assign the Admin role to purchaser,we will not get the above error.
    Can some one tell what could be the issue for purchaser in accessing Sourcing **** pit.
    We need solution with out SAP_ALL and Admin roles for Purchaser.
    Thanks in advance.
    KR,
    Nagesh Sri

    Hi,
    In order to process the SC from Sourcing Cockpit, we should have the authorization for t-code BBPSOCO01 in our User roles.
    So, you can chcek the z-roles in your system with this t-code authorization in SUIM and add to your profile.
    Hope this helps.
    Regards,
    Sheetal.

Maybe you are looking for

  • Managing a remote unix box with OSX server apps...

    Aside from running an OSX server, I am in charge of maintaining an external, SUN unix server from my Mac, and I hate using line commands, esp. with how jaded I've become using the nice tools for managing the Mac server. For now I use terminal in orde

  • Sound Blown?

    I've been using an old speaker set of Harman Karmon's for about 3 months, most of the time the device is plugged into my macbook (july 2012 purchased new just downloaded Mavericks) and I usually am always playing my Spotify music through the speakers

  • Notification screen fields

    Hi All, I want to create a 'Reference Document' custom screen with all following fields together: 1. Project No. 2. WBS Element 3. Sales Order 4. Production Order 5. Purchase Order When any one field is entered, the respective details (like plant, ma

  • Migration from 7.1.2 to 11.1.1.3?

    Hi All, I am trying to migrate all applications from 7.1.2 to 11.1.1.3. (Windows 2003 Servers) I am able to migrate all the objects but data is mismatching while doing data migration(export & import). Please let me know What are the constraints to fo

  • How to hide new gear from your wife?

    In light of a recent post ... any suggestions on how to hide new gear and make it look like you've had it for years and years .... long before you'd ever met? Dee