Exclude T-code from SAP all

former_member784346 · ‎2009 May 24

hi! does anyone know how can we exclude 3 transactions from the role SAP all. I need this to exclude the transactions VKM* (release credit blocked documents) from the role for FI SAP all, which will be assigned to the chief accountant; thanks!

Former Member · ‎2009 May 24

Not possible. At least not in a meaningfull way.

You need to build proper roles to have meaningfull security.

Cheers,

Julius

sdipanjan · ‎2009 May 24

hi! does anyone know how can we exclude 3 transactions from the role (Profile - not role) SAP all. I need this to exclude the transactions VKM* (release credit blocked documents) from the role for FI SAP all, which will be assigned to the chief accountant; thanks!

1. Create e Role and don't assign any TCode in Menu. Manually add S_TCODE in Authorization tab and put the field value in TCD like below:

From To

A* VKL*

VKN* X*

2. 2nd option is to create a Custom project which you can add in the role menu by using TCode SPRO_ADMIN. Include Transactions as your own choice. Generate the project and then assign into Role menu.

Regards,

Dipanjan

jurjen_heeck · ‎2009 May 24

> Create e Role and don't assign any TCode in Menu. Manually add S_TCODE in Authorization tab and put the field value in TCD like below:

>

> From To

> A* VKL*

> VKN* X*

Which also excludes all transactions beginning with any non-alphabetic character. And how would the necessary objects (SU24 proposals) be pulled into the profile? I think it'll be hell to get such a role to work properly. Not to mention the number of "dangerous transactions" left in these ranges.

A better advice would be: Build a role with the transactions this user actually needs.

sdipanjan · ‎2009 May 24

>

> Which also excludes all transactions beginning with any non-alphabetic character. And how would the necessary objects (SU24 proposals) be pulled into the profile? I think it'll be hell to get such a role to work properly. Not to mention the number of "dangerous transactions" left in these ranges.

>

You are right Jurjen.... All 3rd party tool specific TCodes (i.e. Tcodes beginning with /*) will be omitted.

> A better advice would be: Build a role with the transactions this user actually needs.

Yes of course. I don't understand at all when some one is trying to modify SAP_ALL..!!!!!!!!!!!!!

Dear Requester,

We all request you not too keep eye on SAP_ALL; you should try to create role depending on SOD and International Laws and Regulations.

Forget about SAP_ALL.

Regards,

Dipanjan

jurjen_heeck · ‎2009 May 24

> Forget about SAP_ALL.

Does this mean you will not give answers like your previous one to these questions anymore? I would appreciate that

sdipanjan · ‎2009 May 24

Dera Jurjen,

Really like to know what exactly you are looking from me? Please ask .. I will try to answer if I can .. surely.

regards,

Dipanjan

Edited by: Dipanjan Sanpui on May 24, 2009 4:53 PM

jurjen_heeck · ‎2009 May 25

> Really like to know what exactly you are looking from me? Please ask .. I will try to answer if I can .. surely.

Well, what I meant is: In your first reply to this thread you tried to give a technical solution for OP's problem. Later on you decided that this wasn't the right way to go (I agree).

What I'd like to see is that we do not only give technically correct answers but actually help people to get their authorizations properly configured.

So next time you're tempted to post a "range" type solution think about this thread and consider if you are really helping someone in the right direction.

What happened here, or at least how I saw it, was that you and some posters helped OP to get further without considering whether getting further was also giving a good result.......

Jurjen

Former Member · ‎2009 May 25

It is always advisable to add a disclaimer (or get someone else to sign when you take a short cut - but that does not make the possibility (nor side affects) go away.

At least the security area is still harmless when compared to what goes on in the ABAP world... An example from today:

Cheers,

Julius

jurjen_heeck · ‎2009 May 25

> It is always advisable to add a disclaimer (or get someone else to sign when you take a short cut

That would be a start. Once everybody is used to the disclaimer they can consider not submitting any posts they think need a disclaimer......

Security luckily isn't about stuff like Insert mess into system where risk is high but only about accidentally giving users enough rights to follow such dramatic instructions....

Former Member · ‎2009 May 25

Fair enough. Without Tcode VKM* you couldn't directly release a blocked invoice, but you could accidentally release the whole BSEG from the database...

Frank_Buchholz · ‎2009 May 27

In addition to the general remark Do not use the authorization profile SAP_ALL - use specialized roles I like to add the following:

In the real life I've seen sometimes such ALMOST_SAP_ALL roles. Well, that is better than using SAP_ALL but of course worse than using specializes roles. Anyway, you create such a role by first copy the authorization data from the profile SAP_ALL into the role and then replace some of the * values by individual values. You should at least have a close look to S_ADMI_FCD, S_BTCH, S_DEVELOP, S_PROGRAM, S_RFC, S_TABU, S_TCODE, S_USER* (this list is incomplete;-)

For simulating negative authorizations you cannot mix generic values containing * with ranges. Therefore, this does not work:


From               To
A*                 VKL*
VKN*               X*

You have to enter generic values and ranges within two entries for every interval and you should not forget numbers, the customer name range and the partner name range:


From               To
A                  VKL
VKL*
VKN                Z
Z*
0                  9
9*
/*

Finally, if you remove transactions from S_TCODE you should remove the related authorization objects of these transactions according to the SU24 data, too.

Kind regards

Frank Buchholz

former_member402183 · ‎2022 Apr 05

Thanks this works!, you are good.

Former Member · ‎2009 May 25

Hello,

As suggested by friend over here,please create a new role with spefic tcodes,do not create a role by restricting certain range of transaction,there may be few transaction which are critical and you will fall under audit ,please ask the person to provide the list and transaction they require and and what shoud be the activity value,before creating take approval to keep your self safe.

Thanks,

Prasant

Former Member · ‎2009 May 25

> please ask the person to provide the list and transaction they require and and what shoud be the activity value

Agreed. This is always the best route.

An S_TCODE = A-VL* and VN-Z* type role is always dangerous. On it's own (never combined with other roles) and taking care of all activity or action related fields (much more than just ACTVT) you can build a reasonably usable single role for specific purposes.

If you take a look at [SAP Note 1118396 - Roles for support activities|https://service.sap.com/sap/support/notes/1118396] you will see this explained nicely...

Cheers,

Julius

former_member784346 · ‎2009 May 27

hi! thanks to everybody, finally we have created a coy of SAP all and removed some objects.

maltesh0188 · ‎2016 Jun 15

This message was moderated.

By Category

Related Content

Activity Groups

Industry Groups

Influence and Feedback Groups

Interest Groups

Location Groups

Customer Only Groups

Forums

Related Resources

Products

Learning and Support

About

My Account

My Account

Exclude T-code from SAP all