SPRO Display only role
Hello Gurus,
I wanted to create SPRO display role and i am not sure what tcodes SPRO calls in the background. I googled and find out that giving S_TCODE = * and making other auth obj's like S_PROJECT and S_PROJECTS (related to SPRO) to display only (03) will serve my purpose of creating SPRO display only role.
My question is, if i give S_TCODE = * , i am giving access to all the tcodes in SAP which i don't want to. Is there a solution for this? (SPRO display only access with tcodes that SPRO calls in the background)
Any suggestion, advice, comments are appreciated
Thanks Gurus
Venkat
Hi Venkat,
Yes you right. S_TCODE '*' is a hightened access to give.
I am not sure if there is an easier way to do this. You could get the list of Tcodes within SPRO in a slightly long procedure:
Steps:
1. Activate the IMG activity display using the Path Additional Information>Additional Information>Display Key> IMG Activity.
2. Use the Table CUS_IMGACH to find the Tcodes associated for each of the IMG Activity
3. You could try assigning only these values under S_TCODE.
Also I am not sure it works. But if you don't find an easier way out, this could be worth a try.
Regards,
Ann
Similar Messages
-
Issues with SAP_ALL - Display only
Dear SAP security experts,
I created a Role SAP_ALL_DISPLAY inherited from SAP_ALL profile. I made sure that ACTVT is 03 for all areas. But still it is allowing for some Tcodes like below :
RSA6 -- It is allowing to delete, change, create ...extractors. This is very dangeours
SM37 -- It is allowing to delete BG jobs..etc
.....some more I did not know...dont have time to check.
tcodes like RSA1...SCC*..SPRO... are OK. If finger the check indicators in SU24 for the above tcodes(RSA6,SM37..), what are the bad consequences?. How to fix this in an easy way?
Thank you very muchI guess this needs to be created as an FAQ
- There is no such thing as SAP_ALL_DISPLAY
- Proposal: create a "display only" role for each functional area in your organisation, i.e. something you could give to every employee working in that area.
- There are LOTS of transactions that couldn't care less about what you put in ACTVT!
- There are display transactions that you do not want to give to people (confidentiality)
- Furthermore, check for ACTVT might be deactivated in SU24
In a nutshell: don't do that. Find out what the exact requirements for that role are, and create it like that. The way you do it now will have many more backdoors than you will ever be able to fix. How are you going to control/audit misuse?
Alternatively: look at SAP GRC Access Controls and evaluate the FireFighter application - this might help.
Sorry, no easy answer here.
Frank. -
Cannot create profile for IMG display only access - Timeout
Hello all,
I have created a role for IMG display only role. It has hundreds of Org values and fields. I have made ACTVT=03 in change Authorization
Everything is fine except when i click to create profile, the system does starts processing but its taking hell of a time. It times out since the system has time out after 9000s. Anyway 2 hrs for creating profile..phew!
Is there a way I can create profile?
Alternatively, Is there a simpler way to create role for IMG display only access?How are you building your role? It shouldn't be timing out - might be worth having a chat with your basis team.
Alternatively, if you can save the role (but not generate it) you might be able to generate it in the background via transaction SUPC. It's better to understand why you cany create it first though. -
Hello everyone.
I am cleaning up the Security work of someone here before me. We have _DEV roles in our QA environment. Management has indicated they want a single comprehensive DISPLAY only role create that covers all positions on the project team.
I have looked into turning the single roles display only, however time wise it isn't feasible.
I have looked for a single display only profile to use - did find many display only profiles - not sure if they cover everything I need.
Has anyone ever had to create a comprehensive display only role for an entire project team? I need two roles, one for BI 7 and one for CRM 7.
Is there an established best practice for creating mass display only roles?
Would love to hear your advice and opinions.
Thanks,
ToddHi Todd,
please try to find an answer using the search function in this forum. there have been many threads already regarding display-only roles (maybe a good entry point for you would be to search for sap_all_display).
If you have specific issues (not such a general question....) please update.
Thank you.
b.rgds,
Bernhard -
How To Configure 'SPRO' Can Display Only?
Hi Gurus,
In our ECC PRD circumstances. We need Display-Only authorization for Tx 'SPRO'.
Do you have any good idea?
Thanks!
JasonHi,
Use the S_TABU_DIS and S_TABU_CLI authorization objects to assign the relevant authorization to the user.
If you have created an IMG project, you can use transaction PFCG to create a suitable authorization for this IMG project. In transaction PFCG, you have the option of assigning one or several IMG projects. The corresponding authorization profiles are then transferred and can be defined as required.
Create a new role for this in transaction PFCG. If you are processing the role, you can use the menu "Utilities -> Customizing authorizations" to assign the relevant IMG project and/or project views to the role. The role is then adjusted according to this selection.The user can then start the corresponding setting transaction from IMG.
Regards,
JP. -
Role creation: SAP ALL with SU01 and PFCG in display only
hi all,
I am looking for the easiest way to create a "sap all " like role with SU01 and PFCG in display only.
i found several solutions, which sound very complicated.
Thank you in advance,
JulienHi,
As per your query there is not profile of SAP to give display authorisation, for this you have to create new profile on module wise and assign to user.
Anil -
ChaRM: Role to display only in CRMD_ORDER
Dear all,
I have to questions for you experts:
1) We are trying to create a role to display only the documentos in CRMD_ORDER, is that possible at all?
2) I have some users that shouldnt be allowed to create an Urg.ent correction, I customized the authorization B_USERSTAT accordingly. When those users thy to create an UC they receive the error message, yet they can save the transaction and the UC is created in the system.
I would really appreciate any help on this!
Best regards,
Federico.hi
pls chk this,
[http://help.sap.com/saphelp_crm50/helpdata/en/26/99973915e69238e10000000a11402f/frameset.htm|http://help.sap.com/saphelp_crm50/helpdata/en/26/99973915e69238e10000000a11402f/frameset.htm]
jansi -
Role composition for ESS to display only own data.
Hi all,
I am trying to compose a role for Employee Self Service for employees to display their payroll, but i couldn't manage to structure it to display only their own personnel data. I had to put the personnel area in P_ORGIN however in that case they become authorised to display all employees' data in that personnel area. Can i use P_PERNR object for this operation? Please advise.
Regards,
SezinYou can give I in PSIGN field for the infotypes that you want to 'Include' for an employee, and E in PSIGN field for the infotypes that you want to 'Exclude' for an employee.
Whether those Infotypes will be Read or Maintain will be dependent on the value in the AUTHC field.
Hope this helps.
Regards,
Vikas -
Displaying only User created roles - Please help
Hi,
Can anyone of you please post the code for displaying only Non - SAP roles (which are created by users).
Thank you for your time.
Regards
SomHi,
I will explain little bit more in detail..
We are trying to have a Mapping between JobTitle and Portal-ID/Name in our database. so for the Portal-ID/Name instead of having a textbox for the user to enter, we want to have a list box which displays all the roles which were created by users (only) - that is I mean custom roles not the roles provided out of the box like useradministration,systemadministration etc.
Thanks
Vasu -
Setting SPRO authorization only in disply mode
Hi,
I am working on authorization objects in anew role.. What is the name of the authorization object where I can set the activity for SPRO (Customzing) only in display mode ?
Thanks.
Regards,
Rajesh.You dont need to do all this. Just create a role and add SPRO to it. Then maintain all the objects in that role to Display (Activity 03) ONLY.
However, this will not allow you access to all the zillion Tcodes that SPRO allows access to. In order to allow this, you will have to manually add ANOTHER S_TCODE object to that role and assign a * in it. So then you have access to all the Tcodes, but Display only.
This will do it for you. It did for me.
Edited by: Kunal Belnekar on Apr 1, 2008 2:53 PM
Edited by: Kunal Belnekar on Apr 1, 2008 2:54 PM -
Hi all,
My requirement is all the functional consultant's should have SPRO in Display mode. They should even able to see the settings but they should not have change authorization...<removed_by_moderator> please send me a detailed solution so that my problem gets solved
<subject_modified_by_moderator>
Read the "Rules of Engagement"
Regards
Surya
Edited by: Juan Reyes on Aug 22, 2008 1:18 PMHi Kunal,
It doesn't work for me. I followed your instruction on creating the new role and also referred to the link
http://www.*********************/r3_security/r3_security_tips.htm
In this link, it mentions
Object Field Value
S_CODE REMOVE SPRO
There is no such object as S_CODE. Is it a typo ? should it be S_TCODE ? But even in S_TCODE object there is no REMOVE field.
After creating the ZSPRO_VIEW and assigned to user. User can go to tcode SPRO, but when drilling down, for example
SPRO --> Controlling --> General Controlling --> Organization --> Maintain Versions
will hit by the message "You are not authorised to use Transaction SM34"
same message prompted at the bottom of the screen if try other structure in SPRO.
my work around is to add another object S_TCODE and assign * to the field TCD. after this, most of the item in SPRO structure can be execute with DISPLAY only.
not sure if this is the right way to do.
pls advise.
Thanks.
Regards,
Kent -
How to make 'Overall Limit' field as display only in ME22/ME22N
Hi,
I want to make the 'Overall Limit' field as display only in transation ME22/ME22N (only for Service Items).
I can make the field display only for ALL Service Items by going to:
SPRO u2013 IMG - Material Management - External Services Management - Define Screen Layout
and making the 'Overall Limit' display only for PT1 (Blanket Items). But this also stops any entry into this field even for creation of Purchase Orders! When I try the same thing for ME22 (Change Purchase Order) it does not work.Hi
You can make it greyed out like this:
Go to materials management -> external service management -> define screen layout -> copy field selection key ME22 -> enter new key as ME22N -> choose category of field selection to 2 -> click on value limit -> make overall limit as display.
Then for Tcode ME22N, this field will be greyed out.
Thanks -
MM02 Purchase Order text display only
We have transaction variants with screen variants set up for transaction MM02 and want to make the purchase order text display only. This does not seem possible with transaction variants as the display only is greyed out for the purchase order text.
Is there an enhancement or exit available where we can do this ?Hi
Check it in SPRO - SAP IMG- Logistics general - Material master -field selection
In this u can do it.
Regards,
Raman
Edited by: Raman S on Sep 4, 2009 10:30 AM -
How can FS03 be made Display only without removing Create/Change Activities
ECC 6.0 Release 700
Our internal auditors have asked to limit access to change the Chart of Accounts. Currently our Functional team has access to do this via transactions FS00, FSS0, FSP0, etc. which needs to be removed.
The issue is that if we assign display transaction FS03 to the functional team's role, the Change and Create buttons are still enabled due to the corresponding activities in the Authorization object F_SKA1_BUK, as it seems FS00 and FS03 are essentially the same. The same holds true for FSS3 and FSP3.
Unfortunately, the functional team requires the create and change activity in F_SKA1_BUK for other transactions, so if we strip the activities for the purposes of FS03, they will lose functionality elsewhere.
The standard reports S_ALR_87012327 and S_ALR_87012328 were deemed as insufficient replacements for the information in FS00.
Is there any way to limit the functionality of FS03 to Display only without taking away the create and change activities?While researching F_SKA1_KTP, I found that without the change or create activities in both F_SKA1_KTP and F_SKA1_BUK, the buttons gray out. The functional team is currently researching if they need change/create in F_SKA1_KTP, as I sent them a list of transactions they have for which it is required.
I tried to remove S_TCODE FS00, but when I ran FS03 it gave me a "not authorized for FS00" message and did not display the screens. I removed the dependency via SE97, but then FS03 essentially became FS00 and I was back at square one.
Thank you both for your suggestions. -
Can we display only the required dimensions under Dimensions Drop Down list
Hi,
I am using Hyperion Financial Data Quality Management, Fusion Edition 11.1.1.3.00, so far under Activities -> Maps option we used to display all the dimensions used in the application, but now as per the client's requirement we need to display only those dimensions which needs mapping under dimensions drop down list.
Eg)
Now in our Application our Dimension Drop Down list will look show these dimensions
Account
Entity
Legal Entity
Inter company
Reverse 1
Reverse 2
Among these we are doing mapping only for Account, Entity dimensions so we need to hide rest of the dimensions from the Dimensions Drop Down list for which we are not using any mappings (Legal Entity, Inter company,Reverse 1,Reverse 2)
Another thing is these dimensions should be hidden only from the drop down list and not from the Output file generated after the Export.
Some suggestions regarding this issue will be greatly helpful.
Thanks,
Abdulla Javeed HassanHi
If hiding the other dimensions is to prevent users from accessing and changing the mappings then you could do this by amending the object security so that only certain user roles can access the Activities > Maps option.
This will only really work if you have limited users / central team that will control the maps but it is the most obvious way to stop users accessing the maps.
Hope this helps
Stuart
Maybe you are looking for
-
Using AVS Video Converter 5.5 for DVD on iPod
i just got AVS Video Converter 5.5 and converted my 'Scarface' DVD to MPEG format. i imported it to iTunes and tried to transfer it to my iPod and it says, "'Scarface' was not copied to the iPod because it cannot be played on this iPod." is it becaus
-
How to change the Speed of a Behavior on Text?
I have applied some text to my layer and added 3 of the following behaviors to different text: Big Spin, fly in, Behind the camera. I have searched in the discussion and fooled around with the inspector, but I can't figure out a way to make these tex
-
Setting up and managing iPhoto with new Mac and external harddrive
First time Mac user and I'm stressing about iPhoto! I have the new 13" Macbook Air. I have my old PC (no longer using) that has all of my old photos on it. Those photos are also on my Wireless Network Drive. Have not done anything YET in iPhoto becau
-
Revision: 4290 Author: [email protected] Date: 2008-12-11 14:24:37 -0800 (Thu, 11 Dec 2008) Log Message: Bug: BLZ-288 - Consumer is only receiving first pushed message when Consumer and RemoteObject that is used to push the messages use different cha
-
I have a new ipod. Do i need to add this to my apple id account so that if it ever needs service it shows up there?