Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

roles to replace SAP_ALL and SAP_NEW

Former Member
0 Kudos
1,807

Dear Experts,

We are a small SAP shop, so our BASIS person is responsible for various Admin functions in the system.

I need to create a role for BASIS Admin. I tried to use SAP_ALL to start with, then to inactivate parts of it. It works from the security point of view (although it is a lot of work), but it does not give me a list of transactions and therefore makes it difficult to maintain going forward.

I searched multiple old threads, but was unable to obtain a clear answer.

Will it be considered acceptable (<i>i.e. a good practice</i>) to just gather list of transactions which, in my opinion, (possibly by combining transactions from SAP supplied standard roles) BASIS Admin needs and then add/remove additional ones as need arise?

Please, advise.

Thanks in advance

Galina

1 ACCEPTED SOLUTION

former_member190272
Active Contributor
0 Kudos
477

Hi

Check it http://www.sap-img.com/basis/useful-sap-system-administration-transactions.htm

Rewards point if helpful

Thanks

Pankaj Kumar

4 REPLIES 4

0 Kudos
477

Hi Galina:

The restrict of your BASIS role depends of the Security Policy of your Company. Some companies allow BASIS team to work with SAP_ALL and others restrict BASIS work with specific permissions.

I can give you some options:

- You can copy the SAP_ALL profile, using SU02 and make your own Z profile that have all authorizations.

- In our case, we make a list of transactions for BASIS and make a role, using PFCG. You can make your own list, I recommend you these pages:

http://www.erpgenie.com/basis/basistransactions.htm

http://www.sap-img.com/basis/useful-sap-system-administration-transactions.htm

There are differente points of view about these. But SAP recommends to restrict the use of SAP_ALL as much as you can (including Basis and Security team), specially in Production system.

Personally, we prefere the second option, because you can see what you want and it won't affect you in future audits.

Hope these can help you. Have a good day

0 Kudos
477

Hello, Abraham

We cannot use SAP_ALL and SAP_NEW. We used it until now, but our auditors object. If I understand you correctly, you used the option to create the list of transactions. But what about SAP_NEW? How to incorporate authorizations from SAP_NEW? Or, this is unnecessary when we create role based on list of transactions?

Please, advice

Galina

former_member190272
Active Contributor
0 Kudos
478

Hi

Check it http://www.sap-img.com/basis/useful-sap-system-administration-transactions.htm

Rewards point if helpful

Thanks

Pankaj Kumar

0 Kudos
477

Pankaj,

It is certainly helpful. Do you have a similar list or suggestions for ABAP Developer and for Functional Configurator roles? I have to create these as well.

Thanks

Galina