SAP_ALL Role

I know ids that have SAP_ALL in the system. When I search the respctiv ids I find it the role coloumn blank
Also when i search on SUIM for the SAP_ALL for users owning it , I am told the role doesnot exsist!
Some thing missing/

Search with SUIM report RSUSR002 (Users by compl. selection criteria) for users with profile SAP_ALL, and, go to the profiles tab in SU01, double-click the profile (irrespective of what it is called) and explode it to see what's "inside". Also check table USR10 to see which authorizations the above profiles have.
Cheers,
Julius

Similar Messages

How to create a role using profile SAP_ALL

I want to create a role which has the same authorizations as SAP_ALL except several tcodes.Because SAP_ALL is not a role ,I can't do it by the way of copying role. how should I do?

Hopefully you do not believe that this is sufficient ...
If you've left the S_DEVELOP authorizations users that are assigned to that role still can perform any action - simply because they can develop own coding or modify existing coding ... (respectively: using the debugger to bypass AUTHORITY-CHECKs).
Please keep in mind: the role concept is driven by the business scenario perspective (e.g. role "purchaser", "HR staff", "user administrator", etc.). All the technical details are derived ("hidden" as detail). Your approach is performing the opposite: using a technical vehicle and wrapping a role around it.
Furthermore: you have chosen a very special "authorization profile" (SAP_ALL). In real life there is no employee that is entitled to do "everything". Even the CIO is not entitled to perform any action (e.g. he should not be authorized to perform just any technical operation - e.g. database reorganization). Just because it is not his "role" (in the company).
=> there is no "SAP_ALL" role in real life

Business Roles not getting refreshed in UI

Hi,
When I log in to the Web UI, I can see all my roles.
Now when I delete a Position/user assignment in the org model, I would assume
not to see that role when I log on to the BSP application.
I'm completely coming out of the application to reflect my changes.
My questions would be
1. How to delete a business role
I've tried removing the complete position itself but I can see the roles
I even tried clearing the browser cache but not luck, I'm using Firefox.
2.I wanted to try a different browser, can somebody tell me how to change the browser
3. For the other roles when I login I get an Interaction centre page with most of the screen blank.
I've checked all the links
I did try other solutions mentioned in other threads.
I'm new to this version as well.
I'm following c04 and CR580.
Please do tell me the missing config.
Another point is that I've SAP_ALL role
Points will be given
Thanks in advance
Regards
Deepak
Edited by: deepak nair on Oct 28, 2008 3:39 AM

Hi Deepak,
1. Did you copied SALESPRO business role to ZSALESPRO business role?? If yes, delete ZSALESPRO business role and
again copy SALESPRO business role to ZSALESPRO1 - reason may be by mistake you have copied IC_AGENT or IC_MANAGER to ZSALESPRO.
2. To make your life easy with PFCG roles -
2.1. I suggest you to copy standard Sales Professional role to "Z" role
(eg: SAP_CRM_UIU_SLS_PROFESSIONAL to Z_SAP_CRM_UIU_SLS_PROFESSIONAL) and generate the profile.
2.2. Add role SAP_CRM_UIU_FRAMEWORK (copy of it eg: ZSAP_CRM_UIU_FRAMEWORK)
2.3. Add these roles to your User along with SAP_ALL (or Z_SAP_ALL) and SAP_NEW
3. Add your User to Employee
4. Add your Employee to the Position in Org. Model
5. Select PFCG Role ID = Z_SAP_UIU_SLS_PROFESSIONAL in your business role (ZSALESPRO1)
6. Extend your Position with Business Role (PPOMA_CRM -> double click on your position -> select GOTO -> Detail Object -> Enhance Object Description) -> highlight business role -> click on create info-type -> select your business role (ZSALESPRO1) -> save
7. Clear the browser cache (delete temp. internet files) and delete cookies
8. Log on to WEB UI with your user and password...
I am sure that, if you follow this - you will active WEB UI without any problems. If still you have problems, let me know....
Cheers,
Peter J.

SAP Roles and Access for SAP Implementation team members

Hi,
Is it correct practice to give SAP_ALL role access for all SAP Implementation team members in Dev and QA?
If not, what is the correct practice?
Kindly let me know

Madhu,
It is NOT correct practice to give anyone SAP_ALL in any of the systems; not DEV, not QAS, and certainly not PRD. However, many implementation teams (and particularly consultants from SIs) insist that they cannot possibly do their jobs without it. This is completely incorrect as there are specific roles for them to use for that purpose. The only circumstance where it could be justified is if you require a special "firefighter" role - and even then, I would still be a bit doubtful.
You should also consider that once you have given someone SAP_ALL, they will fight tooth and nail to keep it. It also means that they probably are not testing the user roles correctly. Most of those that insist they need it simply do not understand the security issues and probably don't care.
Just think; if they have access to do soemthing that they shouldn't and then cause a big problem, are they the ones that will have to fix it or are they going to expect you to do it? If they expect you to clear up after them, then you have the right to insist on restricting their access to cause issues in the first place.
But I know just how demanding they can be....
Best of luck
Tony

XI Adapter - Proxy - ECC user roles ?

Hi Gurus,
My scenario is HTTP - XI - ECC(Proxy). We are using communication user with SAP_ALL role to login to ECC from XI(in receiver XI adapter -Communication channel).
Basis do not want to give SAP_ALL role this communication user. Are there any standard roles delivered to use for this ECC user to execute proxies in ECC ?
Were there any SAP notes related to my issue ? Please help.

Hi Rahul,
Is there any note or documentation on this ? PIAPPLUSER role is not enough I guess to execute the proxy. Following is the error.

- <SAP:Error xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" SOAP:mustUnderstand="1">
<SAP:Category>XIProtocol</SAP:Category>
<SAP:Code area="MESSAGE">NOT_AUTHORIZED_FOR_PROC</SAP:Code>
<SAP:P1>RFC-ECCxxx</SAP:P1>
<SAP:P2 />
<SAP:P3 />
<SAP:P4 />
<SAP:AdditionalText />
<SAP:ApplicationFaultMessage namespace="" />
<SAP:Stack>User RFC-ECCxxx has no authorization to process messages</SAP:Stack>
<SAP:Retry>M</SAP:Retry>
</SAP:Error>

"Emergency role" for system administrators

Hello
Our SAP system administrators have more or less very comprehensive authorizations.
For emergency cases we are looking for a "near-by-SAP_ALL" role which the administrators are able to assign themselves.
Does anyone have experiences which considerations must be taken into account?
There is a list of possible transaction codes for administrators like this one:
http://www.sap-img.com/basis/useful-sap-system-administration-transactions.htm
But this list is not complete, the guys sometimes need more...
Any ideas
Thanks
BEO

careful. permitting admins to assign such a role to themselves may be a clear SoD violation not to mention an uncontrolled practice. emergency access is exactly what GRC Fireifghter is used for.
If you don't have it, then create a manual process that involves logging of all activities performed while the role was assigned, temporary assignment only, reviews and approval of logged activities. One way is to create a generic account that is always locked and is assigned to a user group that only certain people are allowed to maintain. Whenever the account is needed, it is "checked out" as if it was a firefighter. SM19 would be permanently set to log all activities for this account. To do this, you would have to close all loopholes to the process, such as tightly controlling who can change SM19 settings and who can unlock the account, who knows its password, and you would need periodic reviews of the account, showing the last time it was locked and password changed, the last time SM19 settings were change, and timely reviews of SM20 logs for the acocunt.
your auditors probably have suggestions for your emergency access procedure too.
good luck!

SAP_All

Hi All,
How to create SAP_all profile by removing few t-code say like SPRO.
My question here is whether it is possible to edit the existing SAP_All profile ?
If possible I need to know how to do it?
Apperciate if you give other option without distrubing SAP_All.
Cheers!
Naveen

Hello Naveen,
editing SAP_ALL is not advisable, as SAP_ALL shall contain all authorizations. Furthermore it is regenerated atuomatically from time to time 8for instance after import of new authorization objects, etc.
More advisable is to create a copy of sap_all and modify its sub-profiles, or you create a sap_all-role by inserting the authorization data of sap_all into the empty profile of that role and modify then the values as per your needs.
I hope this information helps.
b.rgds, Bernhard
P.S.: if you search this forum for 'SAP_ALL' for instance, you will get some more useful information in the hits displayed.
Edited by: Bernhard Hochreiter on Mar 31, 2009 9:54 AM entered the 'P.S:'

Workflow AND role

Hi,
I have a question regarding to the workflow.
When i create a service notification IW51, the system generate a workflow and the user recieve a message to unblock the service notification (using status profile).
When we affect the "SAP_ALL" role to this user. The user unblock the notification ..OK
But, i can't find the appropriate role or the appropriate autorization object to affect to the user. i try, iw51/IW52 the user recieve a message but when he unblock the service notification, there is an error.
Thanks in advance for your help

without assigning 'SAP_ALL' run it. let the error come.
then goto SU53. and check which auth obj is needed.
add that to a new role or a existing role which u can provide to user

ESS: SAP_EMPLOYEE_ERP role

Hi All,
I set up ESS for ECC 5.0 system. I configured JCo destinations using User ID and Password (This UID and PWD has SAP_ALL role assigned in the ECC System). All the configuration is complete.
Now, when i try to access the ESS iviews from the portal i'm geting an error saying " you are not authorized to this service..."
As i know that SAP_ALL will include all the roles and authorizations.
My question is, do we need to assign the role SAP_EMPLOYEE_ERP even if we have SAP_ALL role assigned to the user?.
Thanks in advance
Karthik

Achim,
Thanks for your reply.
I dont have authorizations for transactions that u mentioned. I was given SAP_EMPLOYEE_ERP role. but still the problem remains.
Problem:
You dont have the authorization to start service sap.com/essarpdata/Per_Personal_AR.
com.sap.pcuigp.xssfpm.java.FPMRuntimeException: You dont have the authorization to start service sap.com/essarpdata/Per_Personal_AR.
The help says,
Create copies of the composite role SAP_EMPLOYEE_ERP and all the single roles contained in it. Work with the copies only.
Choose the authorization object S_SERVICE (check on start of external services) and enter the required services in the Program, Transaction, or Function Module Name field.
The service names must follow the naming convention <vendor>/<dc>/<Application>.
Example: sap.com/ess~us/Per_Address_US
What i understood is that we need to add all country specific services to the object S_SERVICE (Eg: sap.com/ess~us/Per_Address_US). is it correct?
Achim, if u've already done this, can u please elaborate this in detail

Reg : Error in Portal while accessing BI Report.

Hi,
When I am trying to access BI report in the portal I got the following error in Portal
User #### has no RFC authorization for function group SYST.
Please assist to resolve the issue.
Thanks,
Prakash.

Hi
This is an authorization issue.
Either include SYST in authorization object S_RFC.
Or assign SAP_ALL role to the user and then try.

Getting Business BSP error when a manager opens an attachment in MSS

Hi All,
In Portal when a manager is trying to open an attachment( appraisal document ) of a reportee from MSS, getting the below error:
Business Server Page (BSP) error
What happened?
Calling the BSP page was terminated due to an error.
Business Server Page (BSP) error
What happened?
Calling the BSP page was terminated due to an error.
SAP Note
The following error text was processed in the system:
BSP Exception: Das Objekt 4BE12AD4938E0C4CE10000000A831C37 in der URL /sap(bD1lbiZjPTMwMCZkPW1pbiZwPTM1MzI3JnY9NyUyZTAwJmk9MSZzPVNJRCUzYUFOT04lM2FhdGxhcy1lY2NfRUNUXzAwJTNhdThJRnZnQWZ5eXJPcG94a0NYak5NZ2Z3cER5eEhlRlNwUk41VGFwbC1BVFQ=)/bc/bsp/sap/hap_document/4BE12AD4938E0C4CE10000000A831C37 ist nicht gültig.
Can someone help me out on this?
Thanks in advance.
Regards,
Thirun.

Hi,
We find no dumps in ST22 for this error.Checked in SLG1 as well, but didnot find any errors.
Also Manger is gettig the same error even after giving SAP_ALL role.
Kindly suggest on this.
Regards,
Thirun.

Bex Selection screen dont show up

Dear Guru's
We have recently upgraded from 3.1 to 7.0 and now we are facing a problem.
In our Test (Quality) System, i have created a Query and when i run this Query in BEx analyzer i can see the Selection screen.
Now i created a new user which is a copy of my USERID (with SAP_ALL role in it), After logging into BEX with this new userid, if i run the same Query i cannot see the Selection screen.
I don't understand this problem, none of the variable's are personalized,
I hope you understand the issue..
Thanks in advance,
Dev
Edited by: Srinivas dev on Jul 29, 2010 2:10 PM

hi guys..
Here is the Trace from BEX
Trace Started as: 8/3/2010 12:15:06 PM*
ListSeparator: ,
ExcelVersion: 12.0
AddinVersion: 7100.4.901.1507
BExSetConnectionFromHandle-01
BExSetConnectionFromHandle-02:True
BExExcelApplication.OnDispose01: Exception from HRESULT: 0x800A01A8
BExCheckFrontend.CheckFrontend: No Check performed (20100802) 0.010001
BExExcelApplication.OnDispose01: Exception from HRESULT: 0x800A01A8
BExExcelApplication.OnDispose01: Exception from HRESULT: 0x800A01A8
BExExcelApplication.OpenWorkBook
BExExcelApplication.OnDispose01: Exception from HRESULT: 0x800A01A8
BExExcelApplication.OnDispose01: Exception from HRESULT: 0x800A01A8
BExExcelApplication.OnDispose01: Exception from HRESULT: 0x800A01A8
BExCheckFrontend.CheckFrontend: No Check performed (20100803) 0
BExCheckFrontend.CheckFrontend: No Check performed (20100802) 0
BExExcelApplication.OnDispose01: Exception from HRESULT: 0x800A01A8
BExCheckFrontend.CheckFrontend: No Check performed (20100802) 0
BExExcelApplication.OnDispose01: Exception from HRESULT: 0x800A01A8
BExCheckFrontend.CheckFrontend: No Check performed (20100803) 0
Conflicting workbook ids: iWBid: , Property: 7B2UOAYFBA2MLMWMBSDZJDSF0
unhooking before varscreen
it was hooked
BExExcelApplication.OnDispose01: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
BExExcelApplication.OnDispose01: Exception from HRESULT: 0x800A01A8
BExCheckFrontend.CheckFrontend: No Check performed (20100803) 0
Conflicting workbook ids: iWBid: , Property: 7B2UOAYFBA2MLMWMBSDZJDSF0
unhooking before varscreen
it was hooked
BExExcelApplication.OnDispose01: Exception from HRESULT: 0x800A01A8
BExCheckFrontend.CheckFrontend: No Check performed (20100802) 0.009999
BExExcelApplication.OnDispose01: Exception from HRESULT: 0x800A01A8
BExExcelApplication.OnDispose01: Exception from HRESULT: 0x800A01A8
HOPING SOME SUGGESTIONS..
Thanks in adv,
deV

Create RFx Response: An error occurred in the PD Layer transaction terminated

Hello Experts,
Currently we are in SRM 7.02 implemenation: we are facing below problem while creating RFx response with popup screen.
"An error occurred in the PD Layer transaction terminated"
For this we have checked below
1. http://scn.sap.com/thread/1912966 ----> it didn't help
2. We have assigned SAP_ALL role to bidder also ----> Facing same issue
3. Check Number ranges ---> everything is fine.
there is no clue from above points.
Thanks & Regards
Sandeep.

Hello Sandeep,
I am facing the same problem while creating the RFx response in SUS side. Same error occurred while i am creating the Rfx response with bidder.
error: An error occurred in the PD Layer transaction terminated
Could you please let me know, did you find any solution for this issue?
Thanks in advance!!
Thanks,
Anil

Serial Number in ASN, SNC

Hi Friends,
Please let me know how Serial Number activated in ASN.
Is any configuration needed to activate it ?
Appreciate your answer.
Thanks & Regards,
Siva

Hi Siva,
There are no specific configuration for serial number in SNC. This is a standard functionality which allows supplier to enter the serial numbers at item level during ASN creation.
The only draw back is supplier can enter Serial numbers into ASN via SNC web ui only, duelist download file do not have the option to upload ASN with serial numbers.
Coming on to the issue you are having to enter the serial number, we have faced this issue earlier when we were trying to enter gross weight and volume information during ASN creation.
We applied the OSS note : 1503933 (Description of the SAP note is incorrect) in our system and this fixed our issue. Not sure if this note is still valid for latest version of SNC. But you can check and implement this note.
If you are still getting the error, pls try to assign SAP_ALL role to your id and try creating the ASN. If that works then its an issue with the user access.
Thanks,
Sri

How to setup a supervisor in PPOMA_BBP?

hi Gurus
We use SRM7.0 in Standalone Scenario.
there are 30 companies in our Org. plan. and each of the company has its purchasing organization and purchasing groups.
we need some supervisor users. which they can check, change all 30 companies' SC, RFx.
how can i buildup them?
( i create users which have SAP_ALL role , and assign the users to the highest level in PPOMA_BBP, assign purchaser role in EP also . but i cannot seach out any documents thorught this user in EP),

Hi. It might be a bit tricky, but if you go to transaction PP01, select org unit and stick the org unit number in, then highlight "Relationships" and press change.
There is a field called "Priority" at the bottom.
When you move up and down in rank it is this field that gets changed.
If you can put in a prioity higher than the place you want it to be in the org structure, it will move.
I would try this in a test system first to try and get a feel for it.
Regards,
Dave.

SAP_ALL Role

Similar Messages

Maybe you are looking for