topic Re: Role in Application Development and Automation Discussions

Role

Former Member — Wed, 13 Dec 2006 10:51:11 GMT

Dear Gurus,

Is there any standard role in 4.6 for display all

transaction..

If not so How we can achieve it??

thanx in advance

senthil

Re: Role

morten_nielsen — Wed, 13 Dec 2006 12:19:18 GMT

You won't find any Display all role.

Creating a display all role won't be a simple job. I have got a few tricks that could help you a bit a long the way.

The key authorization field in question i actvt. So what you can do is

1. Create and generate a role based on the profile SAP_ALL

2. Download this role to your PC

3. Open the role with notepad

4. Search for 'ACTVT * ' (with the exact number of spaces between ACTVT and * - and a space after * as well)

5. Replace it with "ACTVT 03"

Please make sure that when you do the replace - that your not altering the positions of any other text string in the file.

6. Now upload it again to the profile generator - and generate the role.

But !!! Pleace notice that actvt isn't the only field you need to change in order to create a display only role - you will still need to go through the HR and the basis authorizations - no easy way here. - and there still could be ekstra objects that needs to be maintained.

Regards

Morten Nielsen

Re: Role

Former Member — Wed, 13 Dec 2006 23:29:18 GMT

You also have to be careful with S_TCODE since creating a role based upon SAP_ALL will mean that auth object is an * and there are a number of tcodes where there is no associated auth object which means that you'll be able to execute it even it if its not a display tcode.

Re: Role

Former Member — Thu, 14 Dec 2006 12:35:37 GMT

Hi Senthil,

Have you tried to make a copy of roles:

SAP_ALL_DISPLAY

SAP_ALL_HR_ONLY

SAP_ALL_RESTRICTED

To be honest, I haven't...

Regards,

Agoes

Re: Role

Former Member — Fri, 15 Dec 2006 09:19:02 GMT

SAP_ALL_DISPLAY

SAP_BC_DWB_WBDISPLAY

SAP_CA_CL_DISPLAY

SAP_CA_DMS_DISPLAY

SAP_CO_OM_JOB_INTORDER_DISPLAY

SAP_CO_OM_OBJECT_DISPLAY

SAP_CO_PA_BASICDATA_DISPLAY

SAP_CO_PC_ACT_MATERIAL_DISPLAY

SAP_CO_PEREND_DISPLAY

SAP_CS_AG_CUST_ORDER_DISPLAY

SAP_CS_AG_WARRANTIES_DISPLAY

SAP_CS_SE_DISPLAY_NOTIF_ORDERS

SAP_EC_PCA_MODEL_TP_DISPLAY

SAP_EC_PCA_OBJECT_DISPLAY

SAP_FI_AP_DISPLAY_BALANCES

SAP_FI_AP_DISPLAY_CHECKS

SAP_FI_AP_DISPLAY_DOCUMENTS

SAP_FI_AP_DISPLAY_MASTER_DATA

SAP_FI_AP_DISPLAY_PARKED_DOCUM

SAP_FI_AR_DISPLAY_CREDIT_INFO

SAP_FI_AR_DISPLAY_CUST_INFO

SAP_FI_AR_DISPLAY_DOCUMENTS

SAP_FI_AR_DISPLAY_MASTER_DATA

SAP_FI_AR_DISPLAY_PARKED_DOCUM

SAP_FI_BL_CHECK_MGMENT_DISPLAY

SAP_FI_FM_BU_DISPLAY

SAP_FI_FM_MD_DISPLAY

SAP_FI_GL_DISPLAY_ACCT_BALANCE

SAP_FI_GL_DISPLAY_DOCUMENTS

SAP_FI_GL_DISPLAY_MASTER_DATA

SAP_FI_GL_DISPLAY_PARKED_DOCUM

SAP_FI_SL_DISPLAY_DOCUMENTS

SAP_FI_SL_DISPLAY_PLAN

SAP_ISR_LE_BASIC_DATA_DISPLAY

SAP_ISR_MATERIAL_DISPLAY

SAP_ISR_MERCH_CAT_DISPLAY

SAP_ISR_SITE_DISPLAY

SAP_LE_BASIC_DATA_DISPLAY

SAP_LE_INB_DELIVERY_DISPLAY

SAP_LE_OUTB_DELIVERY_DISPLAY

SAP_LE_TMS_DISPLAY

SAP_LO_BM_BATCH_DATA_DISPLAY

SAP_LO_MD_BOM_DISPLAY

SAP_LO_MD_CUSTOMER_DISPLAY

SAP_LO_MD_MM_MATERIAL_DISPLAY

SAP_LO_MD_SERIAL_NO_DISPLAY

SAP_LO_MD_VENDOR_DISPLAY

SAP_LO_PP_RTG_DISPLAY

SAP_LO_PP_WRKC_DISPLAY

SAP_LO_SD_BILLING_DISPLAY

SAP_LO_SD_INFORMATION_DISPLAY

SAP_LO_SD_PRICING_DISPLAY

SAP_LO_SD_SALES_DISPLAY

SAP_MM_IM_DISPLAY

SAP_MM_PUR_DISPLAY_OBJECTS

SAP_PM_EQM_EQUIPMENT_DISPLAY

SAP_PM_EQM_FUNC_LOC_DISPLAY

SAP_PM_EQM_MEAS_POINTS_DISPLAY

SAP_PM_PRM_MAIN_PLANS_DISPLAY

SAP_PM_PRM_TASKS_LISTS_DISPLAY

SAP_PM_WOC_MEAS_DOC_DISPLAY

SAP_PM_WOC_ORDER_DISPLAY

SAP_PP_BD_RTG_DISPLAY

SAP_PP_BD_WKC_DISPLAY

SAP_PS_DATES_DISPLAY

SAP_PS_DOCUMENTS_DISPLAY

SAP_QM_IM_COSTS_DISPLAY

SAP_QM_PT_CHANGE_MANAG_DISPLAY

SAP_QM_PT_LOG_MASTER_DISPLAY

SAP_QM_PT_MAT_MANAG_DISPLAY

SAP_QM_QN_NOTIF_DISPLAY

Re: Role

Former Member — Sun, 17 Dec 2006 10:59:36 GMT

Hi,

You can create an new role using SAP_ALL and SAP_ALL_DISPLAY profiles....

insert second profile in "insert authorizations frm change auth data tab"

maintain the values and generate profile...

First profile is too tedious you need to maintain lots oof fields

regards

jag

Re: Role

Former Member — Thu, 21 Dec 2006 13:29:35 GMT

Well there was the need to create such a thing once. Therefore, I got one - if you want it, I can send it.

Re: Role

Former Member — Thu, 21 Dec 2006 13:53:20 GMT

Basic question is WHY. No functional or business consultant has aver been able to convince us of the need for such wide access.

General finding is that they do not know what they really need in SAP so let them go back to the drawing board and rethink the access needed from a functional point of view.

Re: Role

Former Member — Thu, 21 Dec 2006 14:47:25 GMT

But there are some people who do not know what they don't know yet in SAP. SAP systems also consist of more than just a production client in a production system...

Examples for the need for such a role:

Some companies might have a philosophy about support that they should be able to display (and understand) the entire application and all functional areas, and not just their own little piece of the pie which they can edit. Such a role could find a need in a development system.

Some companies also get audited (all functional areas, basis, authorizations, interfaces etc etc) and you might want the auditor to be able to display (and report on) the entire application and not just one client in it. Such a role could even be a legal requirement.

Some companies also have a change control policy which does not give developers and authorizations administrators access to the production systems (in most companies their work is done in development systems). However for emergency access or serious surprise type of troubleshooting, you might want to give them display access to analyze or debug a problem in production without having to hand out SAP_ALL to them. If it wasn't a surprise, then you would know which functional role to give them.. but you dont.

Cheers,

Julius

Re: Role

Former Member — Fri, 22 Dec 2006 14:16:01 GMT

Julius,

Just to make your idea clear about SAP_ALL_DISPLAY (and thanks for making mine about the need of display access) -

When you say, "you might want the auditor to be able to display (and report on) the entire application and not just one client in it", let me clarify that SAP authorization management works for that particular client only. So, If I 'am providing full display access to someone, it is at client level. If there are multiple clients within the system (all clients make an application as per your concept I believe) then he would not be able to view same information in other clients. So, SAP_ALL_DISPLAY does not serve the purpose of display access for whole "Application".

Of course, I agree with you that we do need full display access in the system.

Re: Role

Former Member — Wed, 03 Jan 2007 21:24:41 GMT

Hi Amol,

Yes, if the role (and some other config, SP and release stuff) truly is a DISPLAY_CLIENT_ONLY role, then the auditor would probably be limited to their sy-mandt client DATA only, plus the client independent DATA, and any report / tcode which delivers client independent or even client specific information (there are a few).

What I meant by "entire application" for such an audit was perhaps more "entire environment". Or rather better would be "entire system". An alternate would be "entire application<b>s</b>", as it would depend on what the application actually does and where it is coming from.

You are refering to the fact that a user with strong authorizations can have an impact beyond their client (logical system) irrespective of the current client they have authorizations from (eg. the way some applications use S_TABU_CLI, S_TABU_DIS, S_DEVELOP, S_TRANSPRT, S_RZL_ADM, S_ADMI_FCD...). The user can also impact other client DATA (eg. SE30, SE37, SUB%...).

So an auditor might want (highly unlikely though...) to have an account in all current accessible logical systems (clients) which can impact the one which they are auditing, or even better => a DISPLAY_ENVIRONMENT_ALL role which gives them access to display the real access of the users in the entire application / environment / system from a logical system (client) independent perspective, also without there necessarily being a reference (still) to that logical system. That would be a nice auditing tool!

Some auditors have their own dark ways of getting some of this sort of information, but perhaps SAP might want to consider adding such a feature to the audit information system (both as role and tool)?

Cheers,

Julius