2007 Sep 19 8:09 AM
Hi Experts,
Our companys wants full authorisation ( sap_all + sap_new ) for Auditors but in Display Mode only.
What I did, I created Z_auditor role and selected all logistic ( Not Tools ) and in authorisation S_TABU_DIS I kept only display.
But in many transaction i seen that there is create, change option available.
Pl. guide us what to do, urgent ?
Yusuf
2007 Sep 19 2:21 PM
As already mentioned, it is not recommended to give a copy of SAP_ALL and attempt to make it display only. The main issue with this approach is that you are giving them a wildcard in the S_TCODE auth object. Even if you managed to find all of the objects and changed them to display only, you would still have an issue with some tcodes not calling an auth object - one good example is RZ11 - with this you can maintain some system profile parameter values - no auth object is needed. Better to go the route as suggested here and get them to tell you what tcodes they need.
2007 Sep 19 8:51 AM
use the search for SAP_ALL_DISPLAY
this question gets asked every week
If you are not <b>very</b> careful and give the auditors a role that gives too much access in prod, that this will be raised in their audit report.
In your situation I would get an email from the auditors stating exactly what access they need and build an appropriate role.
Message was edited by:
Alex Ayers
2007 Sep 19 9:11 AM
Hi Alex,
In ECC 5.0 the SAP_ALL_DISPLAY role/profile is not available.
Yusuf
2007 Sep 19 9:39 AM
Hi Yusuf
if you put SAP_ALL_DISPLAY into the search box on this forum, there are many threads which will tell you how to build one that is more suitable for your needs
Cheers
alex
2007 Sep 19 12:31 PM
One question:
What inexperienced/amateur Auditors are you working with. An experienced EDP auditor would never want SAP_ALL display access, but will come with a list of TRX and reports they must be able to access , so you could build a custom role from that.
I know that some financial directors/controllers are frightened of auditors thus take the easy way and allow them SAP_ALL. But be aware although it is not your responsibility if you are requested to grant such a Forbidden access, but one of your tasks should be Gate-Keeper, preventing others of making the wrong decision!
2007 Sep 20 5:20 AM
Hello Auke & JC,
Thanks for explaination. Now we have decided not to give SAP_ALL for auditor.
We will collect TRX and reports and grant them.
Yusuf
2007 Sep 19 2:21 PM
As already mentioned, it is not recommended to give a copy of SAP_ALL and attempt to make it display only. The main issue with this approach is that you are giving them a wildcard in the S_TCODE auth object. Even if you managed to find all of the objects and changed them to display only, you would still have an issue with some tcodes not calling an auth object - one good example is RZ11 - with this you can maintain some system profile parameter values - no auth object is needed. Better to go the route as suggested here and get them to tell you what tcodes they need.
2007 Sep 20 4:28 PM
Hello Yusuf,
all the responses belongs u r question is absolutely perfect.
Just try to use the predefined role of SAP. SAP_ALL_DISPLAY.
create a new role with the copy of the same as i mentioned above.
then use this role as per as u r requirement.
its a good process recomonded by SAP.
cheers.....
Sree
2007 Sep 21 7:00 AM
Hi Srinivas,
Thanks. But SAP_ALL_DISPLAY is not in ECC 5.0 Version.
Yusuf
2007 Sep 24 9:49 AM
Please DO NOT try to create SAP_ALL_DISPLAY.
There are standard roles for auditors which should be a great start for your roles.
Please look at http://service.sap.com/ais , there you'll find lots of information about the Audit Information System.
Auditors are used to this, usually.
Hope that helps,
Frank.