Hello Bryle,

If I am understanding you correctly, you want to create a user authorization profile similar to SAP_ALL, with the difference being that your new profile should only allow to display everything instead of also being able to change and add things like in SAP_ALL.

As far as I know, the only way to do this requires some manual work:

1. Create a new role in the profile generator transaction PFCG according to your current naming conventions for role generation, e.g. "Z_DISPLAY_ALL".

2. Wihtin the "Authorizations" tab, create a profile for the role and save your role. You can also add a description and a transactions menu for the role on the other tabs if you like.

3. From the same tab open up the profile editor by using either the button "Change Authorization Data" or "Expert Mode for Profile Generation".

4. If you did not add any transaction to the role menu, a dialog will appear asking you if you want to copy authorizations from one of the listed SAP standard profiles. Normally SAP_ALL is not listed here, so you can just close the dialog.

5. From the menu, choose "Edit --> Insert Authorization(s) --> From Profile...". You can then just enter "SAP_ALL" in the appearing dialog box. This will copy every authorization object from SAP_ALL into your new profile, keeping SAP_ALL intact.

6. Check if the organizational levels are all set to the generic value "*".

7. Take some time and edit the objects in your new profile, so that all activity-related fields are limited to "display" and "display changes" (where available).

8. Once you are done, save the profile and generate it.

9. Transport your new role into other systems if necessary.

10. Assign your new role to the users who need it.

The editing of the new profile really takes a good deal of time because of the huge amount of authorization objects copied from SAP_ALL. I did the same thing and even added everything from SAP_NEW, just to be sure that nothing was missing. At least you can save the profile every time and leave the editor even when you are not finished (without generating the profile).

You should also look very closely at every single object. Most of the time, if there is an activity field (named "ACTVT"), it will use the standard acivities where "03" stands for display and "08" stands for display changes (the values in the technical view of the profile). The activities will normally be limited to the ones which make sense for the relevant object.

However, some objects like F_REGU_BUK and F_REGU_KOA (just to use an example) will not only use a different field name for the activity-related field, but also different values for the acivities themselves. You have to take a closer look at the value list for the activity field or - in a case like the one of the above mentioned objects - at the online documentation for the objects.

Also, some objects can be completely deactivated for a "display only" profile, e.g. F_LFA1_AEN.

As long as SAP doesn't change the basic structure for authorizations, this seems to be the only way to do it...

Greetings,

Markus