Spro full authorization without sap_all and sap_new

Hi Friends,
Can u suggest me how to give spro full authorization without sap_all and sap_new profile.
Thanks & Regards,
Tarun

Hi Gowrinadh,
This is an interesting discussion. I don't mean to take shots at your concept, but I have some concerns about it as a solution.
> I have prepared a role 8 months back, we passed 2 patch upgrade cycles and I can confirm that this role will work even after the next version of ECC upgrade.
Sometimes the symptoms only make themselves visible later, and we don't know what is coming in the next version of ECC. Of course it should be largely compatable, but there will be new stuff. You can be sure of that.
> If there are any modules or new functionalities required, then customer has to request for it in addition.
My understand is that the customer requests a full and working SPRO role for each release. They will not find the tcodes for you and do not want to play ping-pong via support tickets either with it.
So each time you bill your customer for the 20 or 40 hours work for maintaining these tcodes manually in ranges? Appart from being error-prone, this solution is not scalable for when SAP might introduce another 20000 tcodes into the SPRO. Or someone convinces SAP to introduce an S_TCODE check for every line of code the whole system... (this is something which some people seem to believe in...), which would introduce several billion new tcodes for you...
> For which we can build separate role.
That is different. The question here (and certainly your solution) is to have them in the same role without duplicates but still including all SPRO access.
If you build them as seperate roles, then you can merge them as projects into one composite and live with the duplicates while checking for any known objects which should not be included.
I would agree with you. That is in my opinion a better solution, but it is not what you have been describing earlier.
> We can plan for authorizations and build roles based on the inputs for today and tomorrow received from customer.
That is the whole point in having maintainable roles and scalable processes. Manually maintaining 20k tcodes is incompatable with such requirements.
> By the way, the max no of consultants and business process owners having this role is not more than 40.
I don't think that assigning the role to less people will make it more usefull, nor that assigning it to more people will bring down it's per user cost of maintenance.
There is some old code posted here already which does what you have described in less than 1 minute. You can find it via the tables I have mentioned above, and will recognize it (and it's age)  by the header lines it uses for internal tables. But it still works, since about release 3 point something...
Cheers,
Julius

Similar Messages

  • How to maintain Employee photo in ESS who's who without sap_all and sap_new

    Hi ALL,
    Displaying Employee photo in ESS Who's who. it is working but with SAP_ALL and SAP_NEW user profiles.
    My requirment is without SAP_ALL and SAP_NEW user profiles. how it is working where can i maintain authorizations for this issue.
    The parameter i used are as follows:
    Business obj: PREL
    Doc type: HRICOLFOTO
    Personal num: 00000094
    Infotype: 0002
    Photo type: .JPG
    please help me.
    Regaards
    Satya.

    Dear satya .
    Please check the following
    1. Trace with the t.code ST01 and check that object require.
    2. The portal require the following obect:
    S_SERVICE
    S_RFC
    P_PERNR
    PLOG
    P_ORGIN/ P_ORGINCON
    P_HAP_DOC, if you work with Appraisal Document.
    3. Check the table T77S0
    P_PERNR, P_ORGIN, y P_ORGINGCON
    4. Check that you have the roles need for ESS.
    SAP_ESSUSER
    SAP_ESSUSER_ERP05
    SAP_EMPLOYEE_ERP05
    SAP_EMPLOYEE_ERP_13
    SAP_EMPLOYEE_ERP05_xx
    SAP_EMPLOYEE_ERP_13_xx
    5. Check the following notes:
    SAP Note 857431 - ESS: Authorizations and roles for WD services in ERP 2005
    SAP Note 844639 - MSS: Authorizations and roles for WD services in ERP 2005
    SAP Note 1373177 - Back end authorization roles missing in EHP4
    SAP Note 824757.
    [ESS Quick Start|http://www.cogentibs.com/pdf/cogsap08/ESS.pdf]
    Hope is help you.
    Regards
    consultor_ess_mss

  • ALEREMOTE profile to run chain:do SAP_ALL and SAP_NEW contain S_BI-WHM_RFC?

    In order to run process chain, we know that the RFC user ALEREMOTE has to have the profile S_BI-WHM_RFC assigned to it. 
    Now our we run process chain on BW PROD, find the first few variants fail and the whole chain stops in the beginning.  We check the profiles assigned to ALEREMOTE and find our BASIS gives it two profiles SAP_ALL and SAP_NEW.  Not sure if SAP_ALL and SAP_NEW contains S_BI-WHM_RFC. 
    Any answer?
    Thanks

    Kevin,
    Yes, sap_all have that profile.
    Sap_all and sap_new gives every authorizations of the system (you can say is a "super user").
    This may be a little risky, but you won't have any problems with process chains.
    Which error gives you de chain?
    Hope it helps,
    Regards,
    Diego.

  • Regarding full authorization except basis and abap

    Hello Gurus,
    I want to provide full authorization to my super users excluding Basis and ABAP transactions such as PFCG,SU01,STMS,SCXX,SEXX. Is it possible by providing some standard profile? If yes then which profiles are that? and if no then how to solve this problem.
    Please reply if u can.
    Thanks and Regards,
    Jayendra
    email - [email protected]

    Hi Jayendra,
                         You copy SAP_ALL to some ZSAP_ALL role and remove what ever the Transactions you want to remove from ZSAP_ALL.Then you assign this role to all your super users.
    Regards,
    Hari.

  • Hot to restrict sap_all and sap_new

    hot to restrict sap_all and sap_new

    Hi,
    SAP_ALL & SAP_NEW profiles will not be assigned to any users in production environment (Not even to the OSS Users). However, there will be derivatives to these profiles. i.e, these two profiles will be copied and restricted.
    Secondly, profile addition will not be done to any user until and unless it is critical. Instead of SAP_ALL, SAP_NEW, other profiles will be assigned like A_ALL etc.,
    Have a look at the following link, which may help you:
    http://www.learnbasis.com/knowledgebase/index.php?view=ViewArticle&id=29&set=all
    Rgds,
    Raghu
    <b><removed by moderator></b>

  • Ultimate Backup Tool v2.0 (Beta) - Full backup without root and unlock

    Easy to use tool and useful, for instance before unlocking bootloader which causes a factory reset.
    All credits go to GIGADROID and team, off course:
    [TOOL][Multi-Platform] Ultimate Backup Tool v2.0 (Beta) - Full backup without root - xda-developers

    jay2727 wrote:
    DO you know if this will work with my S2109 (which is obviously locked completely down)?
    I don't know the S2109.
    Just try and see...

  • Authorizations with out sap_all and sap_new

    Hi,
    I need to give access to all the people which does not have Basis authorizations.
    Can any one of you help me in this regard.
    Thanks
    Venu

    Hi Venu,
    There is one way
    create a role in pfcg in the menu select from the right hand side of you screen select the option <b>From SAP Menu</b>
    in this dont select the options <b>Tools</b> and <b>Cross application component</b>
    and select all other which will avoid the Basis and Abap technical transactions
    and then genetate the profile from the authorization tab then assign the users to the role and comare the users
    hope this helps
    Kishore
    Points are always welcome

  • Sap_all and sap_new

    hello guys,
    whats the use of assigning sap_new profile to the end users and is it recommended to assign sap_all profile to the user??

    Hi Kevin,
    You'll find documentation on these profiles here:
    http://help.sap.com/saphelp_nw70/helpdata/en/4b/65b7398b5a2d31e10000000a114084/frameset.htm
    Best regards,
    Astrid

  • Restrict Authorization in SAP_ALL & SAP_NEW for SCC4 T-CODE only display

    hi,
    I want  to restrict 'Change' mode for SCC4 T-CODE to devuser having complete authorization with profiles SAP_ALL and SAP_NEW. Only 'Display' should be allowed for SCC4. For devuser no roles are assigned.
    For Other Users Roles are assigned with restriction in Authorization at "Basis: Administration-> Table Maintenance (via standard tools such as SM30)> Activity" for authorization object S_TABU_DIS only 'Display' is allowed.
    Abhijit.

    Jurjen Heeck wrote:>
    >... something else to make a part of SAP_ALL not work?
    2 ideas:
    - If the regeneration of SAP_ALL could check that the user running it does not have any SAP_ALL authorizations? Meaning, they would need to know exactly which non-SAP role authorizations (their technical names) have that authority in it. Many folks who only work with SAP_ALL don't know how to do that
    - If there were some way to isolate the program parts which are required to change SCC4 such that they can only be run with root priveleges, then you do not need to give your SAP system (with SAP_ALL) root access...?
    Disclaimer: Just ideas! Complete overkill!!
    => Does restricting the user's access sound like a much easier idea now?
    Cheers,
    Julius

  • How to put safari full screen without click/drag the sides and without going in to fullscreen mode??

    How to put safari full screen without clicking and dragging the sides and without going in to fullscreen mode?
    Thanks
    EG

    Hi, e8god.  
    Thank you for visiting Apple Support Communities.  
    The option to take apps full screen is still available.  Here are the steps on this feature in Yosemite.  
    Take apps full screen
    In many apps, you can expand the window to fill your entire screen. While in full-screen view, swipe to see another app’s full-screen window, to see your desktop, or to see a space you created.
    Expand to full-screen view: Click the green full-screen button in the top-left corner of an app window, or press Control-Command (⌘)-F.
    Move between windows in full-screen view: Swipe left or right on a trackpad or Magic Mouse. For more information, see Learn trackpad and mouse gestures.
    Return to standard view: Move the pointer to the top-left corner of the screen, then click the green full-screen button again, or press Control-Command (⌘)-F.
    Take apps full screen
    Cheers, 
    Jason H.  

  • Hi  I am a keen photographer and I have just bought you SD card reader for ipad. This works well but was winding if there is an app that I can view the images on the SD card full screen without having to import them to the iPad or is there a way to do thi

    Hi
    I am a keen photographer and I have just bought you SD card reader for ipad. This works well but was winding if there is an app that I can view the images on the SD card full screen without having to import them to the iPad or is there a way to do this on the iPad
    The reason for buy this was for when I was out and about to get a better view off my images.
    I have a iPad 2 16gb
    Hope you can help!
    Thanks

    A couple of weeks ago, (after reading a review in TUAW) I bought a wireless hub/ SD card reader called RAVPower.  its app comes with a built in viewer, so you can load it up, and see the pics full screen. 

  • Why MacBook Storage is almost full even without files, movies and music??

    Anyone can help me with this???
    My MacBook Storage is almost full even without files, movies and music... why is it so???
    Thanks

    Hi Avelyn,
    Click on the Apple and then About this Mac>More Info. Click on the "Storage" tab to see what is using up all of your storage.
    That might help you to determine what you need to clean up.
    Cheers,
    GB

  • How to make an Xcode full uninstall without tools ( CD/DVD)

    Hello,
    I have a mac mini late 2012. I dont have OSX Mountain Lion CD or DVD, because my computer has not CD/DVD disk player threfore the OSx comes preinstalled. As i woul like to become an IOS app developer, i have downloaded XCODE 4.6 from AppStore to learn to use it. As you can see i dont have any disk with this software.
    After xcode was intalled i started to try to practice with some testing projects. as you can imagine, i have received a lot of error signals and warnings telling about missing objects, names, etc. I had erased those projects by hand, just deleting project folders without using the organizer to erase the projects.
    After all of this actions, i have tried to start new clean projects in xcode, however, i keep receiving the same errors in new projects, and when i click over any warning simbol it shows instances of the deleted wrong project. Also if you open simulator you can see in there the old deted wrong project icon.
    I have searching with no succes try to "clean" everything created through xcode in the past, however i cant found any way to do that, so i thougth to try to uninstall xcode and after this, try to install it again but clean. I ereased the application and re install it, but same errors are appearing yet. Then i investigate trough the internet about a full uninstall , and all of i have found talks about to use a tools disk to run a command to "erase" xcode complete.
    I also have tried with a comman that sows me errors, this is a copied and pasted text from my terminal:
    Last login: Wed Feb 20 20:08:13 on console
    Mac-mini-de-Fernando:~ fernando$ sudo /Developer/Library/uninstall-devtools –mode=all
    Password:
    sudo: /Developer/Library/uninstall-devtools: command not found
    Mac-mini-de-Fernando:~ fernando$
    As you can see, i dont have any way to run the unisntall tool. After all of this post, i need to make 2 questions, i hope you can help, i getting crazy !!
    1.-Any idea to clean XCODE configuration?
    2.-If not, Any idea to make a full uninstall without osx disks?
    Thanks a lot

    That command you're using is outdated, sorry.
    Xcode latest version is 4.6 - you 'uninstall' just like an other app now...drag it to the trash, then empty.
    In Xocde/Organizer/Documentation, type in: movieplayer
    ...see if you can download that sample app and then see if it runs as-is for you.

  • Cannot manually manage music and videos without erasing and syncing first

    I have an iPhone 3G bought new from the Apple store using 2.1. Using iTunes 8.0 and checking the "Manually manage music and video" checkbox, iTunes prompts me to "Erase and Sync", no other option is available to me. It was the same when using version 7.7 as well.
    I'm not syncing to another computer, it's the same MacBook I've had for almost a year. How do I get the Library Persistent ID in iTunes to match the iPhone. I have the ID from the iTunes Music Library.xml file. I just need to know where the matching file for the iPhone is so I can make them match.
    The ID doesn't match because I had to rebuild my drive a month ago and my question to Apple (actually Steve) is why can't I sync the other way from the phone to the computer.
    Why does my library on the phone have to be wiped out. Who had the warped thought to come up with this genius idea.
    Message was edited by: ep1curus

    I cannot express how disappointing this was for me to find out.
    I want my music to be mobile, I don't want to have to copy it to every computer I want to listen to it on. I want to listen to it from the device, and be able to buy a new album at work or at home. This is a major disappointment for me, as every other device I have owned including my iPod Touch had this capability. I could authorize 5 machines and manually sync, and the music on that device could be played and managed on those authorized machines. For example, my wife has her own music collection, and I have mine, but we have a media center connected to our flat-screen in the living room, that we use for playing music when we are entertaining guests, and with our old iPods and iPod Touch devices, we could unplug one of our devices and plug the other persons in and listen to music from both our libraries without copying the music to that computer, as long as we authorized that machine for the both of us. Now with our iPhones there is no way to keep our seperate librarys and be able to play music on multiple computers in our house and at work, which we have always been able to do until our iPhones. The whole point of the iPhone for me was to be able to combine two devices and now because of the lack of this feature I still have to keep all our iPods around too... Dumb. I almost took our phones back because of this, and if apple doesn't fix it, I probably won't buy another. They should have at least mentioned this little fact before selling the devices to us. I know it's a different device, but it's similar enough that you expect it to work the same as the iPod and iPod Touch. It's not like I am wanting to be able to copy music from the device to multiple machines, it's exactly the opposite... I just want to be able to copy music to the device and listen to it at home and at work... why all apples other devices do this, and the iPhone doesn't is completely perplexing to me, and a serious oversight on there part. This pill would not be so hard to swallow if I had been warned about this prior to dropping almost a grand for iPhones for myself and my wife, expecting what I saw as a more advanced device to work at least as good as the other similar devices I own did.

  • My batterie doesn't work correctly to my Iphone 5. It should work longer, but it's worse. My battery does not hold a full day without much use.

    It should work longer, but it's worse. My battery does not hold a full day without much use.
    When the new version of ISO6 will come ??? A lot of apps don't work correctly too.... :-(
    I'm a little bit disappointed...

    Sounds like your iPhone is locked to your home carrier.
    See if they offer unlocking and if you qualify. Otherwise,
    there is nothing you can do besides rent/but a cheap
    phone for your month in Argentina.

Maybe you are looking for

  • How do you add a new machine as an agent only to be seen by the server....?

    I'm fairly new to this but I'm starting to get the hang of it. I configured what I call a sysadmin server to serve as a SunMC-4.0, Console, Agent & Server. I can connect to the server and I see all the Modules and what's running to I'm good there. Wh

  • PO not cretaed On SUS.

    Hello Experts, We are implementing MM-SUS. When PO Idoc gets triggered from MM and Via XI it goes to SUS. In SUS , Tcode, SXMB_MONI, i can see the XML message with Error. Error message is as follwos: " Save Stylesheet failed /1SAI/TXSD5BFE2D6C24B57C0

  • SP 2013 and SQL SSRS 2012 integration

    I've done this installation successfully a few times before.  On all other times for SP 2013 with SQL 2012 SSRS, I installed on the application server because it was the only server. This time I'm installing into a FARM.  One of the DEV guys asked me

  • Signed applet accessing remote host getting AccessControlException

    I'm fairly new to java development, so hopefully this is an easy answer, but in my searching I haven't yet been able to figure out why this isn't working for me. I have a self-signed applet, running on a server in my intranet. I understood that using

  • Importing video error: Adobe doesn't import video

    I would like to import video into Premiere from my Flash Memory camcorder's hard drive to my computer's hard drive. My camcorder records .mpg files, and when I try to import mpg files into Premiere, the program says the file is not supported. I also