SAP_ALL Display

Similar Messages

• How to create SAP_ALL Display Role without HR Transactions.

  Hi,
  Can someone help mem create an SAP_ALL Display only Role without HR Transactions.
  It takes lot of time to create a New role with SAP_ALL Template and manually change the Activity to display and de-activate HR Objects.
  Please let me know if there is any faster way to do this.
  Regards,
  MASQ.

  > Please let me know if there is any faster way to do this.
  Nope, there isn't. Besides that, only changing activity fields will not result in a display-only role. As said, please use the search and browse through the sticky threads.

• Issues with SAP_ALL - Display only

  Dear SAP security experts,
  I created a Role SAP_ALL_DISPLAY inherited from SAP_ALL profile. I made sure that ACTVT is 03 for all areas. But still it is allowing for some Tcodes like below :
  RSA6 -- It is allowing to delete, change, create ...extractors. This is very dangeours
  SM37 -- It is allowing to delete BG jobs..etc
  .....some more I did not know...dont have time to check.
  tcodes like RSA1...SCC*..SPRO... are OK. If finger the check indicators in SU24 for the above tcodes(RSA6,SM37..), what are the bad consequences?. How to fix this in an easy way?
  Thank you very much

  I guess this needs to be created as an FAQ
  - There is no such thing as SAP_ALL_DISPLAY
  - Proposal: create a "display only"  role for each functional area in your organisation, i.e. something you could give to every employee working in that area.
  - There are LOTS of transactions that couldn't care less about what you put in ACTVT!
  - There are display transactions that you do not want to give to people (confidentiality)
  - Furthermore, check for ACTVT might be deactivated in SU24
  In a nutshell: don't do that. Find out what the exact requirements for that role are, and create it like that. The way you do it now will have many more backdoors than you will ever be able to fix. How are you going to control/audit misuse?
  Alternatively: look at SAP GRC Access Controls and evaluate the FireFighter application - this might help.
  Sorry, no easy answer here.
  Frank.

• SAP_ALL Display only

  Hi everyone,
  Is there a standard SAP profile that would be the equivalent of the SAP_ALL profile but with only read/display activities allowed?
  I believe they may be one for HR but I am after one that would cover all modules.
  If not can anyone think of a quicker way to create such a profile apart from creating a copy of the SAP_ALL profile and removing any activities in all objects that are not read or display related activities?
  Thank you
  Coco

  You will have to build one yourself if you want to know how search this forum as it has been discussed many times.

• Display Only SAP_ALL

  Hi,
  What is the easiest way to create a copy of SAP_ALL that is Display only?
  Thanks

  This has been answered many, many times.  A recent one is:
  SAP_ALL DISPLAY only
  If you use the search box at the top of this forum for SAP_ALL_DISPLAY you will get plenty of responses.
  To create a real SAP_ALL display takes quite a wuile as it involves a lot more than changing activity values to display ones.  To start with, you need to be very careful about what you allow in the S_* objects.

• SAP_All in Display mode

  Hi All,
  can i provide SAP_All profile access in display to any user ? if yes , please let me process to create it.
  Thanks
  Andrew

  Hi Andrew ,
  You need to create the role manually for SAP_ALL display .
  You will have to give   the  activity  field display ( value 03 ) only in all the objects.
  Regards,
  Nibu

• Only Display Authorizations User ID..

  Dear Experts,
  I want to create a User ID in SAP ECC 5.0 which have all SAP System authorizations, but only in Display mode...
  Meaning, the user can access all possible SAP T-codes but cannot create or modify anything... He has only Display rights...
  Can you please suggest me what to do?
  Thanks,
  Jignesh Mehta

  Hi Jignesh,
  there are already some threads here in this forum regarding display-only users/authorizations. One good entry point for your search is sap_all-display.
  Pleae make use of the search function!
  Thank you,
  b.rgds, Bernhard

• Error - You may display spool list from your own jobs..

  Hi Team,
  I have created a SAP_ALL Display role for our maintainence members and whenever they are trying to view the spool log in sm37 they are getting the Error - You may display spool list from your own jobs..
  I have checked the following objects :S_SPO_ACT and S_SPO_DEV all those have full authorizations and regenerated and done a user compare and then checked ..getting the same error..
  Could you pls provide your vauable suggestions..
  Regds,
  Satyanarayana N.

  Hello Satya,
  Normal users hardly need access to s_btch_adm with value *. I wonder if your security auditors would agree to it.
  Also 3 is not a valid value for s_btch_adm. Either it can be Yor N. Y mean that the user is batch administrator while N means the user is not. Of course * encompasses all. Try first with N and see if the users are able to see the spool.
  If not then do you have mutiple clients in your system? If so make sure users are trying to see the spool in the correct client i.e they are trying to check a spool generated in client X after logging into client X only.
  Regards.
  Ruchit.

• Authorization for display_all

  Hi Friends,
                 Any one help me to create a profile (or) a role to give Display all the T-codes in Customizing screen.

  Hi Vasantha Kumar,
  This question has been asked quite a few times. You can search this forum for 'SAP ALL DISPLAY' term. Please check the some of threads below.
  Restriction SAP_ALL_DISPLAY
  SAP_ALL DISPLAY only
  Display role for all transactions
  I hope this will help.
  Regards,
  Prasad M. Musale

• Security Role

  Is there a "SAPALL" for display authorization only?

  Kevin,
  This question has been posed several times.  Do a search on display in this forum and you will see several threads on the topic.
  There is not a true sap_all display out of the box.
  Cheers,
  Ben

• Restrict Authorization in SAP_ALL & SAP_NEW for SCC4 T-CODE only display

  hi,
  I want  to restrict 'Change' mode for SCC4 T-CODE to devuser having complete authorization with profiles SAP_ALL and SAP_NEW. Only 'Display' should be allowed for SCC4. For devuser no roles are assigned.
  For Other Users Roles are assigned with restriction in Authorization at "Basis: Administration-> Table Maintenance (via standard tools such as SM30)> Activity" for authorization object S_TABU_DIS only 'Display' is allowed.
  Abhijit.

  Jurjen Heeck wrote:>
  >... something else to make a part of SAP_ALL not work?
  2 ideas:
  - If the regeneration of SAP_ALL could check that the user running it does not have any SAP_ALL authorizations? Meaning, they would need to know exactly which non-SAP role authorizations (their technical names) have that authority in it. Many folks who only work with SAP_ALL don't know how to do that
  - If there were some way to isolate the program parts which are required to change SCC4 such that they can only be run with root priveleges, then you do not need to give your SAP system (with SAP_ALL) root access...?
  Disclaimer: Just ideas! Complete overkill!!
  => Does restricting the user's access sound like a much easier idea now?
  Cheers,
  Julius

• Fact Sheet in CIC0 - Display Issue

  All
  Hope you can help.  I am in the process of tidying up the roles & profiles through the users on our CRM system.
  We have a small number of users that use the FACT SHEET within trnsx CIC0, they used to have SAP_ALL assigned to them which I have now removed, this now has removed the Marketing Attributes section from view from the FACT SHEET
  I have ran AUTH Checks to assist and added where applicable - does anyone know why this area is not being displayed
  any help would be appreciated.
  regards
  Barry

  Bruno
  Thanks for replying.  I have ran \nsu53 to do the auth check and added objects as needed but still no display.
  However - during replying to your message I went back into BP to modify the Marketing Attributes of a customer and received 'You are not authoriesed' - this required object C_TCLA_BKA, after adding this I could now see the Marketing Attributes in the FACT SHEET
  so thanks
  Regards
  Barry

• How to check if a user has SAP_ALL in a program?

  Hi:
  I want to create a program that will check if the user has SAP_ALL. Is there a standard FM or BAPI?. Otherwise, can someone pelase help.
  Thank you.
  Seshagiri Gopi

  Hi,
  Please check the below link:
  http://wiki.sdn.sap.com/wiki/display/BI/AuthorizationinSAPNWBI
  Regards,
  Nilesh.

• Data of customize BSP in Enterprise Portal is not displayed

  Dear All,
  I stuck on to find out the solution, in order to display FAQ list in BSP Enterprise Portal by using customer id to logon to Enterprise Portal, need your guide.
  Let me explain:
  It is customize/own develop BSP application, which is search FAQ (maintain in trxn: crmd_iia_faq) based on product. This is done by calling standard FAQ FM in BSP code, pass in product GUID to retrieve list of FAQs, and display FAQs list in the BSP page. Also, from the FAQ details, call standard Problem and Solution FM to get the details of Problems and Solutions, and then display Problems and Solution in another BSP page.
  In the other words, this custom BSP application display data which is maintain in transaction code: COMMPR01, CRMD_IIA_FAQ, and IS01.
  Setup in portal to display this iview/BSP application is done, because I manage to access the main BSP page in portal after logon with customer ID.
  Difference result:
  1.     Run BSP standalone in CRM:
  When I execute/run/test this bsp application standalone in se80 after logon to sapgui by using customer id, bsp data is displayed, which is working fine.
  2.     When I access/run this bsp through portal after logon portal with customer id, bsp data is not displayed, which is not working correctly.
  Things that I had tried:
  1.     customer user profile:
  •     Tried assign different profiles of customer id, my problem is not solved. I even add SAP_ALL profile to customer ID.
  [Result] no BSP data is displayed.
  2.     customer user role:
  •     standard role, SAP_PCC_CHANNELMANAGER (assign standard role to customer ID):
  a.     Go to trxn code: CRMC_BLUEPRINT_C -> layout of UI (PCUI) -> Look for standard role in “assignment of crm object method to role” -> get a standard role which is relate to problem and solution: SAP_PCC_CHANNELMANAGER.
  b.     Go to trxn code: CRMC_BLUEPRINT_C -> layout of UI (PCUI) -> Navigation (URL generation) -> assign portal role to single role -> SAP_PCC_CHANNELMANAGER is assigned to portal role: com.sap.pct.crm.channelmanager.
  c.     Go to trxn code: SU01 -> add role, SAP_PCC_CHANNELMANAGER into customer ID.
  d.     run the portal and access BSP application
  [Result] no BSP data is displayed.
  •     Create new role, ZSAP_PCC_CHANNELMANAGER:
  a.     go to trxn code: PFCG -> copy standard role, SAP_PCC_CHANNELMANAGER to customize role -> access authorization tab -> look for “authorization for BSP applications” -> change “Application Scenario” and “View for UI display” to “*”.
  b.     Go to trxn code: CRMC_BLUEPRINT_C -> layout of UI (PCUI) -> Application/Layout -> add new entry to View, view named as Z_ESERVICE.
  c.     Go to trxn code: CRMC_BLUEPRINT_C -> layout of UI (PCUI) -> add new entries into “assignment of crm object method to role” (copy SAP_PCC_CHANNELMANAGER).
  i.     Role:           ZSAP_PCC_CHANNELMANAGER
  Object type:      PROBLEMSOLUTION
  Method:          APPLICATION
  Priority:           62
  Implementation type: BSP on Portal Page
  Application :     CRMM_SDB_SOL
  View:           Z_ESERVICE (also tried without assign any view)
  ID Page/Service: pcd:portal_content/com.sap.pct/specialist/com.sap.pct.crm/com.sap.pct.crm.roles/com.sap.pct.crm.channelmanager/com.sap.pct.crm.chm.cma.service_center/com.sap.pct.crm.adm.ei.know_admin.solutions
  Portal Context:      Blank
  ii.     Role:           ZSAP_PCC_CHANNELMANAGER
  Object type:      PROBLEMSOLUTION
  Method:          DEFAULT
  Priority:           62
  Implementation type: BSP on Portal Page
  Application :     CRMM_SDB_SOL
  View:           Z_ESERVICE (also tried without assign any view)
  ID Page/Service:
  pcd:portal_content/com.sap.pct/specialist/com.sap.pct.crm/com.sap.pct.crm.roles/com.sap.pct.crm.channelmanager/com.sap.pct.crm.chm.cma.service_center/com.sap.pct.crm.adm.ei.know_admin.solutions
  Portal Context:      Blank
  iii.     Role:           ZSAP_PCC_CHANNELMANAGER
  Object type:      SYMPTOM
  Method:          APPLICATION
  Priority:           62
  Implementation type: BSP on Portal Page
  Application :     CRMM_SDB_SYM
  View:           Z_ESERVICE (also tried without assign any view)
  ID Page/Service:
  pcd:portal_content/com.sap.pct/specialist/com.sap.pct.crm/com.sap.pct.crm.roles/com.sap.pct.crm.channelmanager/com.sap.pct.crm.chm.cma.service_center/com.sap.pct.crm.adm.ei.know_admin.symptoms
  Portal Context:      Blank
  iv.     Role:           ZSAP_PCC_CHANNELMANAGER
  Object type:      SYMPTOM
  Method:          DEFAULT
  Priority:           62
  Implementation type: BSP on Portal Page
  Application :     CRMM_SDB_SOL
  View:           Z_ESERVICE (also tried without assign any view)
  ID Page/Service:
  pcd:portal_content/com.sap.pct/specialist/com.sap.pct.crm/com.sap.pct.crm.roles/com.sap.pct.crm.channelmanager/com.sap.pct.crm.chm.cma.service_center/com.sap.pct.crm.adm.ei.know_admin.symptoms
  Portal Context:      Blank
  d.     Go to trxn code: CRMC_BLUEPRINT_C -> layout of UI (PCUI) -> Navigation (URL generation) -> assign portal role to single role -> ZSAP_PCC_CHANNELMANAGER is assigned to portal role: com.sap.pct.crm.channelmanager.
  e.     Go to trxn code: SU01 -> add role, ZSAP_PCC_CHANNELMANAGER to customer ID.
  e.     run the portal and access BSP application
  [Result] no BSP data is displayed.
  •     Maintain existing customize role, which is used to display Activity:
  a.     Go to trxn code: CRMC_BLUEPRINT_C -> layout of UI (PCUI) -> Navigation (URL generation) -> assign portal role to single role, I check the configuration has done in CRM to assign/map this BSP role to portal role.
  b.     go to trxn code: PFCG  -> open existing customize role -> access Authorization tab -> click on "change authorization" button -> search existing Application scenario -> add '' inside (also try with certain standard scenario which is relate to product, FAQ, solution, problem) -> search existing view for UI display -> add "".
  a.     run the portal and access BSP application
  [Result] no BSP data is displayed.
  Questions:
  1.     Is my problem related to role setup of customer ID?  If yes, can guide me how to create authorization, which is related to product, FAQ, problem, and solution, to customer ID?
  2.     Is it possible that my problem cause by missing/wrong portal role setup or wrong mapping between CRM role to Portal Role? If yes, can guide me how to check authorization of customer ID in portal, which is related to product, FAQ, problem, and solution?
  3.     Any other reason that cause this problem?

  If you know the BSP application name, then you can check this on /SE80 and get the bsp component details.
  Regards,
  James

• How to restrict FBL1N only to display access

  Hi,
  I need some help in restricting access for FBL1N.   The requirement is the user should be able to only display the vendor items  for the given opcos.  I created a test role for this tcode and maintained the activity for all the auth objects to 03.   But still user is able to change the vendor details.   When ran trace, it was showing the access to Tcode FB02.  but not sure how the test user is getting this access as the test role does not contain FB02 and user does not have any other role. Please advise
  Regards
  Kavitha

  Raghu Boddu wrote:
  Hi Kavitha,
  >
  > FBL1N internally calls lots of tcodes and FB02 is one among them. Check the table TCDCOUPLES.
  >
  > I don't think this restriction is possible only with adding 03 activity for the F_LFA1*  and F_BKPF* objects.
  >
  > If you check FBL1N in SU24, there are a few other authorization objects that are in check state. You need to make them check maintain and further maintain the activites in the individual roles.
  >
  > However, this may impact on the current roles that have FBL1N transaction code.
  >
  > Hope this helps!!
  >
  > Regards,
  > Raghu
  Despite the SAP_ALL removing the authorization problem.... I would like to enquire about this post.
  Can you please explain each of the statements you have made and provide some evidence?
  If the user has the correct authorizations then they are are wrong and the "check" and "check/maintain" status has no impact on the coding in customer type systems.
  Cheers,
  Julius