Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Problem with SAP_ALL regeneration

Former Member
0 Kudos

Hello

I have a problem with SAP_ALL. Somebody have regenerated this profile so now I have all the new authorization object in SAP_ALL. I tried to modify the &_SAP_ALL_16 (it's the profile which contains the new authorization object in the SAP_ALL profile) in order to delete the new authorization object.

I have a message "Generated profiles can only be displayed".

Somebody can help me please ?

Thanks for your help.

Mélanie

1 ACCEPTED SOLUTION

Bernhard_SAP
Employee
Employee
0 Kudos

Hi Melanie,

the aim of SAP_ALL is, to contain all authorizations.

there are only some small exceptions, which can be configured. You can find them in SAP note #410424.

The function to update generated profiles is disabled (of course with a little debuging it is still possible.....).

b.rgds, Bernhard

8 REPLIES 8

Former Member
0 Kudos

Hi,

You shouldn't try to remove access from SAP_ALL (only SAP does that for 1 object).

If you need access that isn't "everything" then you should create a role which contains the specific access.

0 Kudos

I know this but we have a lot of specific authorization object and specific program. We need only standard object in SAP_ALL. So with this regeneration we have all the specific also and it's bad for us.

Do you have a solution for us to clean this profile and to transfer all the specific to the SAP_NEW profile ?

Thanks

Mélanie

0 Kudos

> We need only standard object in SAP_ALL. So with this regeneration we have all the specific also and it's bad for us.

If what you mean by "specific" is your own customer objects... then you can make an entry in table PRGN_CUST id = 'ADD_ALL_CUST_OBJECTS' path = 'N'.

Then make sure you have a role which can run report RSUSR406 (regenerate SAP_ALL) and not just SAP_ALL, because you can delete SAP_ALL and then regenerate it without the customer objects.

> Do you have a solution for us to clean this profile and to transfer all the specific to the SAP_NEW profile ?

You should not do this. SAP_NEW is for introducing SAP's own new objects. After upgrading your roles, you should delete it and regenerate SAP_ALL.

That way, you never need SAP_NEW - except during upgrades.

Cheers,

Julius

0 Kudos

> I know this but we have a lot of specific authorization object and specific program. We need only standard object in SAP_ALL. So with this regeneration we have all the specific also and it's bad for us.

With which you actually say SAP's expected standard behaviour is bad for you...

> Do you have a solution for us to clean this profile and to transfer all the specific to the SAP_NEW profile ?

I really think you should abandon all quests to rid SAP_ALL of unwanted objects.

If it's even possible (Okay, that is possible for your own objects, see Julius' post) you'll risk encountering the same problem after each upgrade.....

Some helpful consultant will push the 'regenerate' button in the future.

You can however create a role based on SAP_ALL and tune that to your need. Just create an empty role, save, got to the authorizations tab and select SAP_ALL as the template.

Edited by: Jurjen Heeck on Sep 2, 2008 2:40 PM

0 Kudos

> Some helpful consultant will push the 'regenerate' button in the future.

Not withstanding possible organizational reasons why this might be usefull... I think Jurgen's point is stronger and there are several ways to regenerate a "real" SAP_ALL again which would then have a rather (un)intended affect...

Rather stick it out and tell them "No". This is also where having an emergency user solution can be quite usefull as well - to deal with all the examples of exceptions which happened twice last year... (for example

Cheers,

Julius

0 Kudos

Hi again,

nevertheless as mentioned already cusotmer objects can be excluded from SAP_ALL

(re)generation you could simply create a backup from a current sap_all profile (without your cusomt objects included) to overcome such a problem in the future. In SU02 you have a transport link for profiles. so create a transport of the version you require. You can import that afterwards whenever and wherever you need it.

b.rgds, Bernhard

Bernhard_SAP
Employee
Employee
0 Kudos

Hi Melanie,

the aim of SAP_ALL is, to contain all authorizations.

there are only some small exceptions, which can be configured. You can find them in SAP note #410424.

The function to update generated profiles is disabled (of course with a little debuging it is still possible.....).

b.rgds, Bernhard

Former Member
0 Kudos

Hello,

I put in the table PRGN_CUST id = 'ADD_ALL_CUST_OBJECTS' path = 'N'. I regenerated the SAP_ALL profile.

Now I have only the standard object in my profile and all works normally.

Thanks to all !

It's good now.

Best regards,

Mélanie