Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Display Authorisation for ALL transaction ....

Former Member
0 Kudos
169

Hi Experts,

Our companys wants full authorisation ( sap_all + sap_new ) for Auditors but in Display Mode only.

What I did, I created Z_auditor role and selected all logistic ( Not Tools ) and in authorisation S_TABU_DIS I kept only display.

But in many transaction i seen that there is create, change option available.

Pl. guide us what to do, urgent ?

Yusuf

1 ACCEPTED SOLUTION

Former Member
0 Kudos
138

As already mentioned, it is not recommended to give a copy of SAP_ALL and attempt to make it display only. The main issue with this approach is that you are giving them a wildcard in the S_TCODE auth object. Even if you managed to find all of the objects and changed them to display only, you would still have an issue with some tcodes not calling an auth object - one good example is RZ11 - with this you can maintain some system profile parameter values - no auth object is needed. Better to go the route as suggested here and get them to tell you what tcodes they need.

9 REPLIES 9

Former Member
0 Kudos
138

use the search for SAP_ALL_DISPLAY

this question gets asked every week

If you are not <b>very</b> careful and give the auditors a role that gives too much access in prod, that this will be raised in their audit report.

In your situation I would get an email from the auditors stating exactly what access they need and build an appropriate role.

Message was edited by:

Alex Ayers

0 Kudos
138

Hi Alex,

In ECC 5.0 the SAP_ALL_DISPLAY role/profile is not available.

Yusuf

0 Kudos
138

Hi Yusuf

if you put SAP_ALL_DISPLAY into the search box on this forum, there are many threads which will tell you how to build one that is more suitable for your needs

Cheers

alex

0 Kudos
138

One question:

What inexperienced/amateur Auditors are you working with. An experienced EDP auditor would never want SAP_ALL display access, but will come with a list of TRX and reports they must be able to access , so you could build a custom role from that.

I know that some financial directors/controllers are frightened of auditors thus take the easy way and allow them SAP_ALL. But be aware although it is not your responsibility if you are requested to grant such a Forbidden access, but one of your tasks should be Gate-Keeper, preventing others of making the wrong decision!

0 Kudos
138

Hello Auke & JC,

Thanks for explaination. Now we have decided not to give SAP_ALL for auditor.

We will collect TRX and reports and grant them.

Yusuf

Former Member
0 Kudos
139

As already mentioned, it is not recommended to give a copy of SAP_ALL and attempt to make it display only. The main issue with this approach is that you are giving them a wildcard in the S_TCODE auth object. Even if you managed to find all of the objects and changed them to display only, you would still have an issue with some tcodes not calling an auth object - one good example is RZ11 - with this you can maintain some system profile parameter values - no auth object is needed. Better to go the route as suggested here and get them to tell you what tcodes they need.

Former Member
0 Kudos
138

Hello Yusuf,

all the responses belongs u r question is absolutely perfect.

Just try to use the predefined role of SAP. SAP_ALL_DISPLAY.

create a new role with the copy of the same as i mentioned above.

then use this role as per as u r requirement.

its a good process recomonded by SAP.

cheers.....

Sree

0 Kudos
138

Hi Srinivas,

Thanks. But SAP_ALL_DISPLAY is not in ECC 5.0 Version.

Yusuf

koehntopp
Product and Topic Expert
Product and Topic Expert
0 Kudos
138

Please DO NOT try to create SAP_ALL_DISPLAY.

There are standard roles for auditors which should be a great start for your roles.

Please look at http://service.sap.com/ais , there you'll find lots of information about the Audit Information System.

Auditors are used to this, usually.

Hope that helps,

Frank.