
I know, there are tons of discussions here on SCN about SAP_NEW but it still seems to be widely unknown how to use SAP_NEW correctly. Therefore I try to give a summary in this blog.
Authorization profile SAP_ALL is a composite profile containing generated authorizations for nearly everything.
SAP_ALL get's generated automatically whenever you transport authorization objects.
You can generate SAP_ALL using report RSUSR406 or transaction SU21. This generates SAP_ALL only in the client where this report is executed. You can generate SAP_ALL using report AGR_REGENERATE_SAP_ALL. This report generates SAP_ALL in all clients.
The customizing table PRGN_CUST contain some switches to control the generation of SAP_ALL - however, the default values are quite reasonable:
ADD_ALL_CUST_OBJECTS | YES (default), NO | Give full authorization for customer authorization objects (namespace Y, Z) in the profile SAP_ALL |
ADD_OLD_AUTH_OBJECTS | NO (default), YES | Give full authorization for obsolete authorization objects (class AAAA) in the profile SAP_ALL |
ADD_S_RFCACL | NO (default), YES | Give full authorization S_RFCACL in the profile SAP_ALL (Do not activate this switch!) |
SAP_ALL_GENERATION | ON (default), OFF | Generate SAP_ALL profile in after-import method for authorization objects (Note 439753) |
Principal rule: No user - except maybe for highly secured emergency users - should be assigned to authorization profile SAP_ALL. This rule applies for all clients.
The rules of the game:
The authorizations in SAP_NEW exist to bridge the differences in authorization checks between releases while you are preparing the upgrade. SAP_NEW enables your business processes to continue functioning until you have incorporated new authority checks in your old authorization concept. The authorizations within SAP_NEW are bound to software component SAP_BASIS. Only if you upgrade SAP_BASIS you need to bother with SAP_NEW.
SAP_NEW should never be required in productive systems.
There is no need to give somebody SAP_NEW if this user already has SAP_ALL. Well, you still see this combination quite often in real system, but this is simply an indicator that the administrators didn't got the rules of the game yet.
Prerequisite: The technical release upgrade was executed in an upgrade-preparation system.
Of course you can skip step 1. to 3. and start with step 4. directly!
Update since basis release 700:
Authorization profile SAP_NEW has been replaced with a generated role called SAP_NEW, too. You generate role SAP_NEW using report REGENERATE_SAP_NEW. This way, old authorization data as described in step 1. above are omitted automatically. See Note 1711620 for details.
Basically, the old authorization profile SAP_NEW and the new role SAP_NEW serve the same purpose and are based on similar data.
Authorization profile SAP_NEW is based on a list of authorization objects stored in table TOBJVOR and authorization values stored in table TOBJVORDAT.
Role SAP_NEW gets generated by report REGENERATE_SAP_NEW only using the list of authorization objects stored in table TOBJVOR but ignores the values given in TOBJVORDAT. Instead of this, full authorizations "*" are added for all authorization fields.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
3 | |
2 | |
2 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 |