SAP_All

Similar Messages

• How to check if a user has SAP_ALL in a program?

  Hi:
  I want to create a program that will check if the user has SAP_ALL. Is there a standard FM or BAPI?. Otherwise, can someone pelase help.
  Thank you.
  Seshagiri Gopi

  Hi,
  Please check the below link:
  http://wiki.sdn.sap.com/wiki/display/BI/AuthorizationinSAPNWBI
  Regards,
  Nilesh.

• GRC:AC:SPM: How to ensure SAP_ALL in not deleting FF log files?

  Hi Guys,
  Due to some critical business requirements occuring occasionally, I wanted to set up a FF ID having SAP_ALL. This would be besides the other FF IDs, which I have already created for each of the modules. I.e basically this SAP_ALL FFID would be to handle emengency and cross module tasks.
  Now, I have a limitation here that this FFID having SAP_ALL profile may do anything and then even clear all the logs for what all it did (as it would have unlimited access to even delete the logs for FFID usage). Any workaround solution for this?
  Regards.
  Hersh.
  http://www.linkedin.com/in/hersh13

  Zaheer is exactly correct. The main point of SAP_ALL is to be (almost) unrestricted and that is why it is recommended to not assign it.
  Although Firefighter allows you to gain elevated access in a controlled manner, if you just assign firefighter ID's SAP_ALL then you will be allowing that access in the systems effectively, invalidating any controls which you had there previously.
  There are loads of ways of trimming SAP_ALL but I would generate a role based on the SAP_ALL template and de-activate the key authorisations (GRCFF_0001).
  Simon

• How to maintain Employee photo in ESS who's who without sap_all and sap_new

  Hi ALL,
  Displaying Employee photo in ESS Who's who. it is working but with SAP_ALL and SAP_NEW user profiles.
  My requirment is without SAP_ALL and SAP_NEW user profiles. how it is working where can i maintain authorizations for this issue.
  The parameter i used are as follows:
  Business obj: PREL
  Doc type: HRICOLFOTO
  Personal num: 00000094
  Infotype: 0002
  Photo type: .JPG
  please help me.
  Regaards
  Satya.

  Dear satya .
  Please check the following
  1. Trace with the t.code ST01 and check that object require.
  2. The portal require the following obect:
  S_SERVICE
  S_RFC
  P_PERNR
  PLOG
  P_ORGIN/ P_ORGINCON
  P_HAP_DOC, if you work with Appraisal Document.
  3. Check the table T77S0
  P_PERNR, P_ORGIN, y P_ORGINGCON
  4. Check that you have the roles need for ESS.
  SAP_ESSUSER
  SAP_ESSUSER_ERP05
  SAP_EMPLOYEE_ERP05
  SAP_EMPLOYEE_ERP_13
  SAP_EMPLOYEE_ERP05_xx
  SAP_EMPLOYEE_ERP_13_xx
  5. Check the following notes:
  SAP Note 857431 - ESS: Authorizations and roles for WD services in ERP 2005
  SAP Note 844639 - MSS: Authorizations and roles for WD services in ERP 2005
  SAP Note 1373177 - Back end authorization roles missing in EHP4
  SAP Note 824757.
  [ESS Quick Start|http://www.cogentibs.com/pdf/cogsap08/ESS.pdf]
  Hope is help you.
  Regards
  consultor_ess_mss

• BEx Analyzer : missing Selection screen for NON- SAP_ALL User

  we have upgrade our BW from 3.1 to BI 7.0. Now we are testing and detect that Queries which are started by User who has user specific roles (not SAP_ALL like we as developer) this Selection Screen is missing. This leads to a complete selection of all data of the cube and this leads to very long runtime or auto logout.
  What is wrong in our configuration?
  Has anybody made the same experience ?
  Thank You, Frank HInzmann
  Schindler Informatik Ebikon (Switzerland)

  Frank,
  Any chance that somehow that user has set personalisation on all the variable values?
  Regards
  Gill

• Issues with SAP_ALL - Display only

  Dear SAP security experts,
  I created a Role SAP_ALL_DISPLAY inherited from SAP_ALL profile. I made sure that ACTVT is 03 for all areas. But still it is allowing for some Tcodes like below :
  RSA6 -- It is allowing to delete, change, create ...extractors. This is very dangeours
  SM37 -- It is allowing to delete BG jobs..etc
  .....some more I did not know...dont have time to check.
  tcodes like RSA1...SCC*..SPRO... are OK. If finger the check indicators in SU24 for the above tcodes(RSA6,SM37..), what are the bad consequences?. How to fix this in an easy way?
  Thank you very much

  I guess this needs to be created as an FAQ
  - There is no such thing as SAP_ALL_DISPLAY
  - Proposal: create a "display only"  role for each functional area in your organisation, i.e. something you could give to every employee working in that area.
  - There are LOTS of transactions that couldn't care less about what you put in ACTVT!
  - There are display transactions that you do not want to give to people (confidentiality)
  - Furthermore, check for ACTVT might be deactivated in SU24
  In a nutshell: don't do that. Find out what the exact requirements for that role are, and create it like that. The way you do it now will have many more backdoors than you will ever be able to fix. How are you going to control/audit misuse?
  Alternatively: look at SAP GRC Access Controls and evaluate the FireFighter application - this might help.
  Sorry, no easy answer here.
  Frank.

• How to remove SPRO from SAP_ALL profile

  Hi Friends,
  Since my client needs access to SAP but we dont want to give them SPRO Tcode authorization.
  So i would like to have your advice on that so as wht to be done and how can we create a profile without SPRO Tcode.
  Regards
  Ayush

  Ayush Johri wrote:
  > I think its not that difficult, although i dont know this. but i have heard people saying that they have made SAP_ALL profile without SPRO...
  It is easy to copy SAP_ALL and create a role without SPRO
  This will not stop people from accessing the functions behind SPRO for the reasons posted before.
  Lots of people claim they create a SAP_ALL without SPRO, I will bet £1000 (I know it's worth many euro's at the moment) that 90%+ of those roles which people think have SPRO removed will not stop people accessing config.
  Ask yourself this question....
  If you build a house do you:
  1. Buy a giant piece of rock and cut holes in it
  2. Build it from components - bricks, windows, doors etc

• Configuring Solution Manager: Alternative Role to SAP_ALL

  This is a general question regarding configuring Solution Manager and note 834534.  I am configuring Solution Manager 7.0 at a client site.  The main components that I am configuring are on the Monitoring and Operations side; for example, System Monitoring,  Service Desk, Issue Management, and Change Management for Maintenance Optimizer.  CHaRM will follow later on.  Additionally, the client would like to use the project side of Solution Manager.
  When I took training for Solution Manager from SAP, the SAP instructor advised the class to have SAP_ALL when configuring Solution Manager  The problem I am having is that the client will not issue me SAP_ALL in the Solution Manager instance, regardless of the recommendation in note 834534.  I can understand the client's reluctance to issue SAP_ALL, even though Solution Manager is not a financial system in of itself, however, I have found that I am constantly having to ask for authorizations as I step through the wizards and the Scenario-specific settings.  When I run into issues which require further investigation by running transactions to check certain settings that are not specifically tiedd to a wizard or scenario-specific setting transaction, I run into further delays as I ask for additional authorizations to troubleshoot issues.
  We have implemented the roles and assigned them to my ID in Solution Manager as outlined by the SAP Solution Manager Security Guide to the fullest extent possible; and I have been issued "Basis Roles" that the client issues to their Basis team.  Regardless of these actions, I still run into authorization issues.
  My question is, apart from the SAP Solution Manager Security Guides recommendations (which does not mention SAP_ALL), is there a role being developed, or has been developed that can be assigned to the Solution Manager configurator in lieu of SAP_ALL (as per note 834534)?  I would think that this issue has been raised before, particularly since many companies have implemented SOX controls and are skittish about issuing SAP_ALL.
  Your feedback is most appreciated.

  Thanks for the reply, Nesimi.
  While I appreciate that you do not use SAP_ALL, is that the case when you are configuring a brand new, clean system?  Are you using the Configuration Wizards with out SAP_ALL? I ask this because when I ran the first configuration wizard, one of the steps is to create a "configuration user", which creates a user with SAP_ALL. However, I cannot use that wizard generated user ID because it has the role SAP_ALL.
  In general, I am operating on 3 sources of information that says I need SAP_ALL to configure the system (not necessarily to operate it):
  1.  An SAP Instructor for the Solution Manager Operations and Monitoring Class
  2.  The IMG Activity "Create Configuration User" documenation in SPRO
  3.  Note 834534
  I will review the english version of the link http://help.sap.com/saphelp_smehp1/helpdata/de/40/8ac473d40943ddb23def12bdb33437/frameset.htm that you have thoughtfully provided. 
  With respect to note 123640, I am not sure if that solves my problem or answers the fundemental question that I have in that given the 3 sources I quoted above.  It seems to me that SAP's approach in indicating clearly that they prefer that the configuration user should have SAP_ALL is flawed given today's corporate governence policies.  Clearly this recommendation is only for the initial configuration, and SAP_ALL can be taken away and replaced by the roles and recommendations in the SolMan security guide; to maintain Solution Manager.  But when it comes down to the question "what do you need to configure Solution Manager, because we won't give you SAP_ALL", I am hard pressed to give an answer despite literally spending hundreds of hours researching "documenation" which does not give clear cut answers.  I think SAP needs to address this issue instead of taking the easy way out and saying you need "SAP_ALL" as illustrated in the 3 sources of readily available information cited above.

• How to delete Client of SAP_ALL  profile

  I have make one client 800 in sap with SAP_ALL profile . now I want to delete this client because my harddisk space is going to Full. How I will delete Client 800 . So that my Harddisk should be free space.Please tell me step by step
  Thanks & Regards
  Jagdish Kumar

  Proper way to delete a SAP client
  Here goes: 
  1. log into the client to delete 
  2. go into SCC5 and delete client 
  3. log into another client and delete entry with SCC4 
  4. reorg database to recover database space. 
  Actually, if you check "on" the little "Delete Entry from T000" checkbox, you can skip step 3.
  One other way of deleting a client which could give significant performance gain and save time is at OS level using - R3trans 
  To delete a client 200, you have to create a command file "del200" with following entries 
  Clientremove 
  Client = 200 
  Select * 
  Place the command file in /usr/sap/trans/bin 
  $ cd /usr/sap/trans/bin 
  $ R3trans –w <log file name> -u 1 <command file name > 
  e.g $ R3trans -w del200.log -u 1 del200 
  To check the progress... 
  $ tail -f del200 
  Reorg the database post client delete

• Z_PROGRAM does not run with SAP_ALL

  Hi All,
  System: ECC 6.0
  I have a test ID with SAP_ALL and SAP_NEW authorizations, but I am not not able to execute a Z Program with this Test ID, but other users can.
  Compared other users UMR with this Test ID and they match up 100%.
  All the related auth. Objects checked and they have *
  Your suggestions will be help full.
  Thanks
  Vidyar
  Also I created a role with SE38 with full authorization and assigned the role to the Test ID, but still it does say that " You are not authorized to use the program "
  Edited by: VIDYAR on Jan 18, 2011 7:11 PM
  Edited by: VIDYAR on Jan 18, 2011 7:11 PM
  Edited by: Julius Bussche on Jan 19, 2011 8:12 AM
  Subject title made more meaningful

  9 times out of 10 such a mysterious message has nothing to do with the authorization concept of authority-check statements and you anyway cannot control the execution of a program based on it' name.
  Display the code in SE38 and search for ABAP statement constructs using system field "sy-uname". For example:
  if sy-uname NE ('cappsg' AND 'busschej').
  exit with message xxx using 'You are not authorized'.
  endif.
  or
  data: iv_uname type xubname.
  iv_uname = sy-uname.
  select single * from ZUSR_AUTH_TABLE where
  zname = iv_uname.
  if sy-subrc 0.
  exit with message xxx using 'You are not authorized'.
  endif.
  Then look in the table ZUSR_AUTH_TABLE for the lists of authorized users and where it's maintenance dialog is.
  Terrible concept, very bad practice but unfortunately it happens - particularly when developers are not given security requirements or have little faith in the existing authorization based implementation in roles.
  Can be a mess to fix as well. Good luck.
  Cheers,
  Julius

• BI 7.0 Security: Replace SAP_ALL with alternative solution

  Hello,
  In an effort to remove SAP_ALL from user accounts in BI 7.0, I need to find an alternative solution for allowing users to create, execute, and delete BEx queries.  Initially, I was thinking of creating two roles, derived from the SAP_ALL template.  One role would allow users to create, execute, and delete queries; the other role would allow users to only execute BEx queries.  Since I'm new to BI 7.0, I'm not quite sure if this is the best approach.  If someone has experience with this scenario, please advise.
  Thank you in advance.

  Hi Cedric,
  You definitely need to move away from SAP_ALL in BI 7.0. The blog mentioned explains how the new features of BI 7.0 work, but I feel your issue is a bit more fundamental. Do you have a security strategy / design for your BI reports that you are trying to deploy?
  You need to consider who can access what data in BI as well as which sets of queries. Once you have an idea for that if you look at how the S_RS_COMP authorisation object works, implementing roles with restrictions on that object will achieve restrictions on which users can access which queries.
  There are SAP delivered templates for query execution roles, that you can look at to get you a starting point - but you'll still need to having a good naming convention for queries as well as an understanding of where your BI data is stored, to be able to restrict access.
  Once you've considered the data and reports, you may need to further restrict information by the use of analysis authorisations on specific characteristics, which is where the blog will help you.

• SAP_ALL & SAP_NEW profiles not available in new client after client copy

  I am setting up a BI Client and have been following some documentation to do this downloaded from SDN. In the process, i created my client 'client 200' assigned to a logical system then doing client copy from 'client 000' using transaction SCCL. There is a step when i now have to create a user in the new client (client 200 ) where i am supposed to assign the user to profiles SAP_ALL and SAP_NEW. Unfortunately these are not available in my newly set client but in 'client 000' they are available.
  Did i make some error in the client copy process or i still need to do something to have the profiles in 'client 200'. Please assist.

  There is no issue in rerunning the Client Copy.
  But please check what mistake you made in the first one.
  Here are the steps.
  Create an entry in SCC4.
  RZ10 modify parameter login/no_automatic_user_sapstar=0
  Check that you have enouf background and dialog processes.
  Restart the sap system
  then login with SAP* in the Client you made.
  Run Sccl and give the Profile SAP_All
  Select the source Client as 000
  and Source Client user Master as 001
  Check tthat you dont select the check box of TEST MODE.
  and schedule in backgreond.
  Thanks Rishi Abrol

• Not able to assign Project to the Urgent Change Request with Developer Id with the existing Authorizations. With SAP_ALL authorization, everything works fine.

  The Urgent Change request is in created status and I am not able to assign project to it. Also I am not able to change the status of the change request to In developement with developer's Id. Everything works fine if i assign SAP_ALL authorization to the developer.
  Below are the roles assigned to Developer ID -
  SAP_CM_SMAN_DEVELOPER
  SAP_SM_CRM_UIU_FRAMEWORK
  SAP_SM_CRM_UIU_SOLMANPRO
  SAP_SM_CRM_UIU_SOLMANPRO_CHARM
  SAP_SMWORK_BASIC_CHANGE_MAN
  SAP_SMWORK_CHANGE_MAN
  SAP_SOCM_DEVELOPER
  Z_S001
  ZSAP_SOCM_DEVELOPER
  Issue screen -
  SU53 for Developer-
  Please suggest which roles/Authorization should be assign to Developer Id.
  Thanks
  Kavita

  Hi Kavita,
  Copy these roles to Z-roles
  SAP_CM_SMAN_DEVELOPER
  SAP_SM_CRM_UIU_FRAMEWORK
  SAP_SM_CRM_UIU_SOLMANPRO
  SAP_SM_CRM_UIU_SOLMANPRO_CHARM
  SAP_SMWORK_BASIC_CHANGE_MAN
  SAP_SMWORK_CHANGE_MAN
  SAP_SOCM_DEVELOPER
  Assign this to user.
  Put a stace using ST01.
  Find that object and modify/add in your custom role.
  Regards,
  Divyanshu

• How to copy and remove admin Role from SAP_ALL profile

  Hi SDN Experts,
  I need to copy SAP_ALL profile to another in CRM 5.0 system, thereafter i need to remove admin Role from SAP_ALL profile. Can any help regarding this point..
  regds
  gcp

  Chandra,
  I saw ur post in this forum regarding configuring sap intergration with genesys gplus adapter. We are in need of the same configuration. Can you please help me in configuring sap phone for gplus adapter. Reply me on [email protected]
  Thanks in Advance

• To find whether current user has SAP_ALL profile or not.

  Hi all,
  Can anyone tell me that whether is there any method by which I can pass the user id and can know whether that user has the SAP_ALL profile or not.
  The above is done by using the transaction SU01,but I need the ABAP code that is being used in this transaction.
  Regards,
  Varun.
  Message was edited by:
          Varun Bhandari

  Hi,
  Check table USR02 for the same.
  Regards,
  Ram

• How to find the users who r assigned to profile sap_all through su01

  how to find the users who r assigned to profile sap_all through su01

  you can get into SUIM-->where used lists, check for users with profile SAP_ALL you can get a list of users who have
  it. and you can get into SUIM through SU01 from user information system link.
  you can execute RSUSR002 from SA38/SE38.
  RSUSR002  is the report which gets you the whereused list for profiles within roles, users.
  you can get it from transaction SECR ofcourse you are executing the same report.
  you can get from UST04 table and obviously USR04 also because sometimes you  miss some details from UST04 because of sync problems.