Community
Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

How to exclude a Tcode froma generic profile

Former Member

‎2011 Jun 08 2:01 PM

0 Likes
1,167

Hi Experts,

I'm new to SAP Basis. We generally give SAP_ALL and SAP_NEW profiles to developers. However we wanted to restrict couple of Tcodes like SCC4 for these users.

Is there any way to exclude a Tcode from a generic profile like SAP_ALL or SAP_NEW.

Thanks,

Shanahas

9 REPLIES 9
Read only

Former Member

‎2011 Jun 08 2:50 PM

0 Likes
1,055

Hi Shanahas

> Is there any way to exclude a Tcode from a generic profile like SAP_ALL or SAP_NEW.
> Shanahas

No.

For details use the search and have a look in "A collection of threads: FAQ's, intros and memorable discussions"

Cheers

Jörg

Read only

Former Member

‎2011 Jun 08 3:25 PM

0 Likes
1,055

Hi Shanahas,

If your team has a security consultant he should be able to device developer roles for the team..You can refer standard SAP roles like SAP_BC_DWB_ABAPDEVELOPER for a reference and build upon that...

Standard SAP profiles should not be changed... If nothing works as a last resort, create a role by adding SAP_ALL profile into a role and have the restrictions built on basis objects or range out SC* tcodes in S_TCODE objects. It can be your last resort.

~Sri

Read only

Former Member
In response to Former Member

‎2011 Jun 09 4:35 PM

0 Likes
1,055

Hi Sri,

How do i add the SAP_ALL profile to a role? as far as i know, i can add it for a user.

Please help

Thanks,

Shanahas

Read only

Former Member
In response to Former Member

‎2011 Jun 09 4:41 PM

0 Likes
1,055

Hi Shanahas,

Create an empty role and dont add any tcodes/reports in the menu section. When you go to expert mode for profile generation it prompts for standard templates.. There you can select SAP_ALL and transfer template the profile.

Please note that it would give all possible objects and is almost equal to SAP_ALL unless you carefully make the basis/security auth objects inactive.

~Sri

Read only

Former Member
In response to Former Member

‎2011 Jun 09 6:16 PM

0 Likes
1,055

Hi Shanahas

It sounds like somebody has told you that you can add a SAP standard profile to a role and then intend to modify the role? Sri and others posts are trying to point you in another (safer) direction.

Try searching this forum for ways of developing support roles which are either ranged and or held bac correctly at object level instead - it's a really common question...

Cheers

David

Read only

Former Member
In response to Former Member

‎2011 Jun 09 6:40 PM

0 Likes
1,055

Hi David -- As always the latest resort gets picked first :)... i guess... i took this thread to a different direction ... however as standard roles like SAP_BC_DWB_ABAPDEVELOPER can be the best start to get developers access to what they want initially and build on it... ...

~Sri

Read only

Former Member
In response to Former Member

‎2011 Jun 09 8:21 PM

0 Likes
1,055

Sounds like the OP has dropped into a S&A role and is either working with another inexperienced S&A consultant or in isolation (no insult intended to the OP but did say 'new to basis')

So, being pushed to provide access now now now!!! ...

Not nice

Read only

Former Member

‎2011 Jun 08 4:59 PM

0 Likes
1,055

Shanahas,

It is extremely common for developers / consultants to say that they need the profile SAP_ALL. This is actually completely untrue and if you follow best practice, no-one should ever have access to those profiles.

The proper way to apply required permissions is to start with a couple of the predefined roles and build from that. However, I'm well aware that if you try to follow that procedure, your developers / consultants will scream the house down and make your life a total misery until you give in. However, if you do give anyone those profiles, you will almost certainly never get them to give them up (unless you threaten them with extreme physical violence!).

If you have access to a company security team or legal team, make them your best friend. You can use them to take the heat off you by insisting that you follow a procedure of "least possible permission" - very common with big business, financial institutes, ete. etc.

Best of luck - you will need it.

Tony

Read only

arpan_paik
Active Contributor

‎2011 Jun 13 9:46 AM

0 Likes
1,055

Have some basic training on security. ADM 940 is best for this.

Regards,

Arpan Paik