SAP_ALL minus SPRO

Similar Messages

• SAP_ALL Minus HR Roles

  Hi...
  My requirement is to provide the Full access but with out All HR authorizations for few users.
  That means it's like I need to create a Role SAP_ALL Minus(-) HR_ALL Authorizations
  Is there any Standard Role for this Or any way to create the role with the above requirement.
  Thanks in advance..
  Handhu
  Edited by: Haranadha Babu Gurajada on Apr 2, 2009 7:26 AM
  Edited by: Haranadha Babu Gurajada on Apr 2, 2009 7:28 AM

  Hi,
  SAP_ALL consists of all the profiles
  create a new role and assign all the profiles except HR profiles this would take time.
  this is the only way..
  REgards,
  Nitin

• Create a role with everything except parameterization option

  Hello,
  We need to create a new role with all object except parameterization
  option.
  How we can create it?
  Best regards,
  Julene González

  I had no idea that we had discussed SPRO that often...
  As you can see from the thread Alex pointed out ( [this one|https://forums.sdn.sap.com/click.jspa?searchID=19779873&messageID=6581648] ) it is also usefull to know which system in the landscape this role is destined for.
  Assuming this is for the QAS system, why don't you identify all the business roles for the production system (those which do not permit customizing in production either, nor user admin and other "basis" tasks, nor development work...etc...) and assign them all to the users (I assume these are support users).
  They should be in QAS already, and if your client settings are correct (T), you will experience the same or a very similar result.
  Of course they won't have "SAP_ALL minus SPRO", but they will have what you are actually using for the "real users"... in production (except it will be in QAS).
  That way they have also have a more realistic testing experience with the correct roles (only).
  Just a thought,
  Julius

• How to remove SPRO from SAP_ALL profile

  Hi Friends,
  Since my client needs access to SAP but we dont want to give them SPRO Tcode authorization.
  So i would like to have your advice on that so as wht to be done and how can we create a profile without SPRO Tcode.
  Regards
  Ayush

  Ayush Johri wrote:
  > I think its not that difficult, although i dont know this. but i have heard people saying that they have made SAP_ALL profile without SPRO...
  It is easy to copy SAP_ALL and create a role without SPRO
  This will not stop people from accessing the functions behind SPRO for the reasons posted before.
  Lots of people claim they create a SAP_ALL without SPRO, I will bet £1000 (I know it's worth many euro's at the moment) that 90%+ of those roles which people think have SPRO removed will not stop people accessing config.
  Ask yourself this question....
  If you build a house do you:
  1. Buy a giant piece of rock and cut holes in it
  2. Build it from components - bricks, windows, doors etc

• Ability to filter gateway logging and simulate "go lives"...

  Dear gurus,
  For those of you have attempted to maintain secinfo and reginfo files (and now any proxy and message servicer ACLs) the subject title should be enough said.
  The local and internal contexts account for 99% of the starting and registering of external programs. These create a huge amount of racket in the logging and in the case of secinfo dont give you the USER-HOST unless you activate additional filters, which effectively doubles the trace logging file size.
  I would like to create a "functionality wishlist" in the wikis for two new features, but first wanted to test the ideas here and see whether there is agreement:
  1) gw/ignore_info parameter
  A file which allows certain entries not to be logged, particularly the "local" and "internal" HOST and USER-HOST entries which are anyway contained by the authorization conceot for transactions such as STMS and SM69 and SM37 (as well as some function modules which respect the application concepts, such as SXPG FMs).
  This would mean one can only log (and have to read...) exceptions which are truely started or registered remotely!
  2) gw/simulate_info parameter
  A file which can represent the secinfo and reginfo files to show what would have happened if the real files were active.
  The problem is that one cannot realistically test and let alone transport the files from DEV to QAS to PROD. You have to take risks when going live in PROD as the partners and jobs and various other dependencies (call backs) only happen there. Customers are very scraed of such Go-Lives regardless of the support offered (I sometimes spend the night clicking on a refresh button...). The ability to simulate the affect of an active secinfo and reginfo would be very cool.
  Any support? If I have a few "thumbs up" then I will create a wiki for it after some discussion about whether a better approach is possible.
  For sure something needs to be done, as if client systems using outbound gateway registrations fail to accept critical business data which then creates inconsistencies (customers hate that, even the thought of it!) then there is most likely no second chance to secure the gateway or RFC in general again.
  Aye or nay or better suggestion?
  Cheers,
  Julius

  What irritates me most is assumption security = SoD.
  I try my best to move those to the GRC forum without delays... You can however also control many non-application specific parts of a SAP system from ABAP transactions and these are controlled by ABAP authorizations. ABAP is very powerful... A few examples are SE14, SM69 and (revelant to this example) also SMGW to transfer the control to the application layer by forcing it (local context of the USER-HOST). So authorizations are also important and omni-present (execpt for the config tool on the Java Stack...
  While I am ranting another one is when you define your roles you are done with security for next 5 years and there is no need for budget. Who cares about patch Tuesdays and many other things.
  A classic example of such a "5 year works out of the box" example, is a SAP_ALL minus a few things type role (imported manual authorizations into the role from SAP_ALL). That is a snapshot of SAP_ALL and any new objects introduced (with proposals introduced hopefully as well in SU24) will be unknown to it when you apply Support Packs or upgrade or add custom checks. It is bound to fail sooner or later, even although you think it cannot go wrong. A proliferation of SAP_NEW is a nice example of the symptom.
  Currently the new object S_RO_OSOA is causing all sorts of havoc in this area (woth keepng an eye out for that one if it has not confronted you yet!) ....
  Cheers,
  Julius

• How disable SPRO from Sap_new and Sap_All profile

  Hello,
  One of my training ID have SAP_NEW AND SAP_ALL. From the particular user how can I disable SPRO transaction.
  Please help
  Regards
  Kariyath

  Hello Kariyath,
  My understanding is that you want the user to just not have access to SPRO though rest all is okie. You should try changing SAP_ALL and SAP_NEW as these are standard SAP. I would suggest that you remove SAP_ALL and SAP_NEW from user profile and instead assign him a role which will be same as SAP_ALL and SAP_NEW and then you can remove SPRO access from it. This would actually help you in monitoring authorizations in a better manner. Please use the following steps for it.
  Create a new role in PFCG.
  Don't assign any transactions in role menu. Go to Authorizations tab and open it in expert mode for profile generation.
  Now go to edit->Insert Authorizations->Full authorizations.
  This would give SAP_ALL and SAP_NEW to the role. next go to authorization object S_TCODE.
  Here you will find the value as *. You need to change it. Make it:
  A* to SPRN*
  SPRP* to Z*.
  Now remove SAP_ALL from the user and assign him this role.
  But while the user won't be able to execute SPRO it doesnot mean that he won't be able to execute other transactions that are within SPRO for example OB52,SALE etc. If you requirement is just SPRO specific then this issue is solved but in case you need it for other ransactions then you need to define the values in s_tcode accordingly.
  I hope this should be able to solve the issue. Please award points accordingly.
  Regards.
  Ruchit.

• Spro full authorization without sap_all and sap_new

  Hi Friends,
  Can u suggest me how to give spro full authorization without sap_all and sap_new profile.
  Thanks & Regards,
  Tarun

  Hi Gowrinadh,
  This is an interesting discussion. I don't mean to take shots at your concept, but I have some concerns about it as a solution.
  > I have prepared a role 8 months back, we passed 2 patch upgrade cycles and I can confirm that this role will work even after the next version of ECC upgrade.
  Sometimes the symptoms only make themselves visible later, and we don't know what is coming in the next version of ECC. Of course it should be largely compatable, but there will be new stuff. You can be sure of that.
  > If there are any modules or new functionalities required, then customer has to request for it in addition.
  My understand is that the customer requests a full and working SPRO role for each release. They will not find the tcodes for you and do not want to play ping-pong via support tickets either with it.
  So each time you bill your customer for the 20 or 40 hours work for maintaining these tcodes manually in ranges? Appart from being error-prone, this solution is not scalable for when SAP might introduce another 20000 tcodes into the SPRO. Or someone convinces SAP to introduce an S_TCODE check for every line of code the whole system... (this is something which some people seem to believe in...), which would introduce several billion new tcodes for you...
  > For which we can build separate role.
  That is different. The question here (and certainly your solution) is to have them in the same role without duplicates but still including all SPRO access.
  If you build them as seperate roles, then you can merge them as projects into one composite and live with the duplicates while checking for any known objects which should not be included.
  I would agree with you. That is in my opinion a better solution, but it is not what you have been describing earlier.
  > We can plan for authorizations and build roles based on the inputs for today and tomorrow received from customer.
  That is the whole point in having maintainable roles and scalable processes. Manually maintaining 20k tcodes is incompatable with such requirements.
  > By the way, the max no of consultants and business process owners having this role is not more than 40.
  I don't think that assigning the role to less people will make it more usefull, nor that assigning it to more people will bring down it's per user cost of maintenance.
  There is some old code posted here already which does what you have described in less than 1 minute. You can find it via the tables I have mentioned above, and will recognize it (and it's age)  by the header lines it uses for internal tables. But it still works, since about release 3 point something...
  Cheers,
  Julius

• Issues with SAP_ALL - Display only

  Dear SAP security experts,
  I created a Role SAP_ALL_DISPLAY inherited from SAP_ALL profile. I made sure that ACTVT is 03 for all areas. But still it is allowing for some Tcodes like below :
  RSA6 -- It is allowing to delete, change, create ...extractors. This is very dangeours
  SM37 -- It is allowing to delete BG jobs..etc
  .....some more I did not know...dont have time to check.
  tcodes like RSA1...SCC*..SPRO... are OK. If finger the check indicators in SU24 for the above tcodes(RSA6,SM37..), what are the bad consequences?. How to fix this in an easy way?
  Thank you very much

  I guess this needs to be created as an FAQ
  - There is no such thing as SAP_ALL_DISPLAY
  - Proposal: create a "display only"  role for each functional area in your organisation, i.e. something you could give to every employee working in that area.
  - There are LOTS of transactions that couldn't care less about what you put in ACTVT!
  - There are display transactions that you do not want to give to people (confidentiality)
  - Furthermore, check for ACTVT might be deactivated in SU24
  In a nutshell: don't do that. Find out what the exact requirements for that role are, and create it like that. The way you do it now will have many more backdoors than you will ever be able to fix. How are you going to control/audit misuse?
  Alternatively: look at SAP GRC Access Controls and evaluate the FireFighter application - this might help.
  Sorry, no easy answer here.
  Frank.

• Configuring Solution Manager: Alternative Role to SAP_ALL

  This is a general question regarding configuring Solution Manager and note 834534.  I am configuring Solution Manager 7.0 at a client site.  The main components that I am configuring are on the Monitoring and Operations side; for example, System Monitoring,  Service Desk, Issue Management, and Change Management for Maintenance Optimizer.  CHaRM will follow later on.  Additionally, the client would like to use the project side of Solution Manager.
  When I took training for Solution Manager from SAP, the SAP instructor advised the class to have SAP_ALL when configuring Solution Manager  The problem I am having is that the client will not issue me SAP_ALL in the Solution Manager instance, regardless of the recommendation in note 834534.  I can understand the client's reluctance to issue SAP_ALL, even though Solution Manager is not a financial system in of itself, however, I have found that I am constantly having to ask for authorizations as I step through the wizards and the Scenario-specific settings.  When I run into issues which require further investigation by running transactions to check certain settings that are not specifically tiedd to a wizard or scenario-specific setting transaction, I run into further delays as I ask for additional authorizations to troubleshoot issues.
  We have implemented the roles and assigned them to my ID in Solution Manager as outlined by the SAP Solution Manager Security Guide to the fullest extent possible; and I have been issued "Basis Roles" that the client issues to their Basis team.  Regardless of these actions, I still run into authorization issues.
  My question is, apart from the SAP Solution Manager Security Guides recommendations (which does not mention SAP_ALL), is there a role being developed, or has been developed that can be assigned to the Solution Manager configurator in lieu of SAP_ALL (as per note 834534)?  I would think that this issue has been raised before, particularly since many companies have implemented SOX controls and are skittish about issuing SAP_ALL.
  Your feedback is most appreciated.

  Thanks for the reply, Nesimi.
  While I appreciate that you do not use SAP_ALL, is that the case when you are configuring a brand new, clean system?  Are you using the Configuration Wizards with out SAP_ALL? I ask this because when I ran the first configuration wizard, one of the steps is to create a "configuration user", which creates a user with SAP_ALL. However, I cannot use that wizard generated user ID because it has the role SAP_ALL.
  In general, I am operating on 3 sources of information that says I need SAP_ALL to configure the system (not necessarily to operate it):
  1.  An SAP Instructor for the Solution Manager Operations and Monitoring Class
  2.  The IMG Activity "Create Configuration User" documenation in SPRO
  3.  Note 834534
  I will review the english version of the link http://help.sap.com/saphelp_smehp1/helpdata/de/40/8ac473d40943ddb23def12bdb33437/frameset.htm that you have thoughtfully provided. 
  With respect to note 123640, I am not sure if that solves my problem or answers the fundemental question that I have in that given the 3 sources I quoted above.  It seems to me that SAP's approach in indicating clearly that they prefer that the configuration user should have SAP_ALL is flawed given today's corporate governence policies.  Clearly this recommendation is only for the initial configuration, and SAP_ALL can be taken away and replaced by the roles and recommendations in the SolMan security guide; to maintain Solution Manager.  But when it comes down to the question "what do you need to configure Solution Manager, because we won't give you SAP_ALL", I am hard pressed to give an answer despite literally spending hundreds of hours researching "documenation" which does not give clear cut answers.  I think SAP needs to address this issue instead of taking the easy way out and saying you need "SAP_ALL" as illustrated in the 3 sources of readily available information cited above.

• Spro-- external service management

  Hi,
  in spro-> MM> ESM> define screen layout.
  if you open this IMG activity you will find the field selection key is having field sel1 and field selection 2
  in that row you will find *.......-+....+ ...*
  what is the meaning of this star, dots, plus, minus.
  how the settings are taken up here. how this settings done
  confused, not able to undertsand this?
  Pl explain this
  Thks, rgds
  Jyoti
  Edited by: Jyoti Patil on Dec 21, 2007 8:59 PM

  what is the meaning of this star, dots, plus, minus.
  Means
  Dots is optional
  Minus is Hidden
  Plus is required
  Star is display
  if you double cllick on this then you will see the Puopu box where all the fields has setup based on the requirements as optional or display or reqd....
  Hope this will give you a clear picture

• Config through SolMan and lock SPRO on ECC?

  Hi all,
  My client wants to use SolMan 7.1 for all configuration and lock SPRO on ECC systems.
  1) Is it possible to lock SPRO completely at ECC side and enforce everyone to use SolMan for configuration?
  2) In what cases we need to open SPRO at ECC?
  Someone from my project was mentioning that some custom configuration or special settings needs to be done in ECC and for that have to logon ECC system and use SPRO. Is that true?
  Thanks for looking this problem. Any suggestions or comments will be helpful and appreciated!
  Regards,
  Shaun

  Hi
  You might check this thread too for how to lock spro
  How disable SPRO from Sap_new and Sap_All profile
  if all the users have documented the config elements in solar02 of solman then only it is possible for you to lock spro of satellite system.
  because if they want to config anything which is not there it wil be a problem
  secondly if they say smthng is not there in solar02 they can try manual addition in solar02 and then you can lock spro in satellite
  hope above helps
  regards
  prakhar

• Authorization in IDES SPRO

  My company purchased SAP.SAP Implementation is running on.
  IDES is installed here but there is no authorization for configuration in SPRO.
  I just want to know that whether authorization is given by my company to me
  or for Authorization we (our Company) have to pay extra to the Implementation Organization.
  Please give relevant data also.

  Hi,
  No  extra money for Spro.
  Tell your Basis person. Provide acces in authorzation.
  In sur system execute Tcode : su01 enter the username in edit mode goto the Role tab. enclosed the below said role & save.
  or
  This user have all acees.
  username : idadmin
  password : ides
  Sap_all
  sap_new.
  Regards
  Senthil

• SAP_All

  Hi All,
  How to create SAP_all  profile by removing few t-code say like SPRO.
  My question here is whether it is possible to edit the  existing SAP_All  profile ?
  If possible I need to know how to do it?
  Apperciate if you give other option without distrubing SAP_All.
  Cheers!
  Naveen

  Hello Naveen,
  editing SAP_ALL is not advisable, as SAP_ALL shall contain all authorizations. Furthermore it is regenerated atuomatically from time to time 8for instance after import of new authorization objects, etc.
  More advisable is to create a copy of sap_all and modify its sub-profiles, or you create a sap_all-role by inserting the authorization data of sap_all into the empty profile of that role and modify then the values as per your needs.
  I hope this information helps.
  b.rgds, Bernhard
  P.S.: if you search this forum for 'SAP_ALL' for instance, you will get some more useful information in the hits displayed.
  Edited by: Bernhard Hochreiter on Mar 31, 2009 9:54 AM     entered the 'P.S:'

• Transaction to list userswith SAP_ALL&SAP_NEW Authorisation

  Hi,
  Can some one please tell me if there is a transaction by which we can find out the list of users that has the SAP_ALL and SAP_NEW authorisation profile assigned to it.
  Thanks
  Priya

  Hi Frank,
  There are ways of automating some of it if the assumption that change documents
  are created holds true (meaning that the preventative measures of bypassing the
  creation of change documents are implemented) and even better if an (ab)user
  does not know about the control...
  Here are some of them which I have seen: (actually one of them did see me first
  One of the better solutions involved both an interrogation of user to profile
  assignments (USR04) AND the change documents (USH04) => because the
  profile might have been removed before the "current" detective control is
  performed. For that (profiles or roles) there is a standard report called RSUSR100
  to read the change documents.
  Once identified, the available profiles of SAP_ALL and equivalents can be
  automatically sent to you if you can get the system to create a job on an
  hourly basis which submits report RSUSR100 for a "from -> to" period (like
  from '31.12.9999' to 'sy-datum minus n days'). If it finds such a change document
  or new existing entry in UST04, it fires an alert with details within the hour.
  There are several different ways of doing this with very low effort, and in all
  existent clients.... also without making the job visible in SM37, with a bit more
  effort.
  This would however be unlikely to detect that which you are refering to: What if
  SAP_ALL is copied or the authorization is manually imported into a role which
  the user already has? For that you would need to go looking in UST10 (the
  assignment of authorizations to profiles) or ideally USR10; or USH10 for the
  change documents. If you find &_SAP_ALL or equivalent authorizations in the
  change documents or they do not match the profile names... then fire the same
  alert as before. I cannot remember how this was done done (which report etc)
  and do not have access to the system anymore.
  That would however not pass all requirements for automated detective controls,
  because someone may have changed the authorization values of those auths
  which are already assigned via profiles which the user has... For that you would
  need to go prying in USH12 to see whether anything changed. For the current
  authorization, looking in UST12 is easier to understand than USR12; but they
  should be the same. Note that this access would be instant so there is no
  necessity (nor sense) in searching for change documents relating to the user,
  only change documents for object <-> field <-> values which you know to be
  equivalent to SAP_ALL.
  Another approach is to use the SAP standard rules in tables USK* (search SAP
  notes on it, and the report RSUSR008_009_NEW) to define critical authorizations
  which cannot be assigned, or critical authorizations which cannot be combined
  together. I have seen one solution which used it to prevent the assignment of the
  authorizations from tcode SU01 etc. I also suspect that it is (more...) sustainable
  and less maintenance work in the long run, than programming an own report or
  buying an external tool (someone else's own report).
  Cheers,
  Julius

• Detect Control-Plus and Control-Minus

  Hi,
  I want to detect keyboard events in a swing application, with the Control key and the '+' or '-' keys pressed (the ones from the keyboard, not from the numpad).
  This is to provide similar behaviour than Firefox for increasing and decreasing the font size.
  I have an English keyboard, in which + is with = key, to be pressed with shift, and - can be pressed directly, without shift.
  I've tried many ways to achieve this behaviour, but have not succeeded yet.
  Platform is Java SE 1.6.0_07 on Red Hat Enterprise Linux 4 with Gnome.
  import static java.awt.event.InputEvent.*;
  import static java.awt.event.KeyEvent.*;
  import static javax.swing.KeyStroke.getKeyStroke;
  // Within some method in some class...
  KeyStroke ctrlPlus, ctrlMinus;
  // Menu items seem correct, but none of the combinations work for me
  ctrlPlus  = getKeyStroke(Character.valueOf('+'), CTRL_DOWN_MASK); // menu item shows Ctrl-+
  ctrlMinus = getKeyStroke(Character.valueOf('-'), CTRL_DOWN_MASK); // menu item shows Ctrl--
  // Menu items seem a bit strange; Ctrl - works, but Ctrl + doesn't
  ctrlPlus  = getKeyStroke(VK_PLUS , CTRL_DOWN_MASK); // menu item shows Ctrl-Plus
  ctrlMinus = getKeyStroke(VK_MINUS, CTRL_DOWN_MASK); // menu item shows Ctrl-Minus
  // None of these combinations work
  ctrlPlus  = getKeyStroke("control +"); // menu item shows nothing
  ctrlMinus = getKeyStroke("control -"); // menu item shows nothingIt seems I can get the desired behaviour with '+' and '-' of the numpad, but:
  1. They are more weird than the normal '+' and '-' keys, which are the ones used by Firefox
  2. The menu items show Ctrl-Numpad + and Ctrl-Numpad - as shortcuts, which are weird also
  3. Not all keyboards have a numpad.
  A solution would be very much appreciated... as well as rewarded with the dukes.

  KeyStroke.getKeyStroke(KeyEvent.VK_EQUALS, KeyEvent.SHIFT_DOWN_MASK | KeyEvent.CTRL_DOWN_MASK)This works indeed with CTRL_DOWN_MASK alone (not tested with the other mask), thanks.
  However, this solution has two drawbacks:
  1. The accelerator string is shown as Ctrl-=, while I want Ctrl-+ to be shown
  2. '+' key may not coincide with '=' in non-English keyboards (e.g. it doesn't coincide in Spanish keyboards)
  I've found a solution that required a bit more work:
  1. Create the actions with the keyStroke you want to be shown (in my case, Ctrl-- and Ctrl-+):
  ctrlPlus  = getKeyStroke("ctrl typed +");  // Ctrl-+ is shown
  ctrlMinus = getKeyStroke("ctrl typed -");  // Ctrl-- is shown
  Action actionPlus = new AbstractAction() { ... };
  actionPlus.setAccelerator(ctrlPlus);
  Action actionMinus = new AbstractAction() { ... };
  actionMinus.setAccelerator(ctrlMinus);2. Bind the keys you actually want to the corresponding action:
  JComponent window = ...;  // root window
  InputMap inputMap = window.getInputMap(JComponent.WHEN_IN_FOCUSED_WINDOW);
  ActionMap actionMap = window.getActionMap();
  Object actionMapKeyPlus  = "ctrl+";
  Object actionMapKeyMinus = "ctrl-";
  inputMap.put(getKeyStroke(VK_EQUALS  , CTRL_DOWN_MASK), actionMapKeyPlus);  // + key in English keyboards
  inputMap.put(getKeyStroke(VK_PLUS    , CTRL_DOWN_MASK), actionMapKeyPlus);  // + key in non-English keyboards
  inputMap.put(getKeyStroke(VK_ADD     , CTRL_DOWN_MASK), actionMapKeyPlus);  // + key on the numpad
  inputMap.put(getKeyStroke(VK_MINUS   , CTRL_DOWN_MASK), actionMapKeyMinus); // - key
  inputMap.put(getKeyStroke(VK_SUBTRACT, CTRL_DOWN_MASK), actionMapKeyMinus); // - key on the numpad
  actionMap.put(actionMapKeyPlus, actionPlus);
  actionMap.put(actionMapKeyMinus, actionMinus);More complicated than expected, but at least works.
  Thanks for the help.
  God bless,
  Jaime