Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SD Customization team member --Role and Profile

Former Member
0 Kudos
496

Hi,

I am new to SAP, i have create a user. Its role is to customize the SD module (Customization Team Member). and check, test the changes. As he should access on the IMG and if possible only SD relavent setting as well as on SD module's other activities like SD super user rights etc.

Currently i gave him SAP_ALL profile and he has started to mess with other things, please help me to restrict his access to his relavent area. I need

<b>--Roles

--Profile

--Menu</b>

relavent information.

Thanks in advance.

Usman Rana

10 REPLIES 10

Former Member
0 Kudos
143

if its a new implementation, for time being give him copies of predifined roles 'SAP_LO_SD*' . and obviously you have to plan for specific role design according to your companies requirement.

Message was edited by: Keerti Vemulapalli

Former Member
0 Kudos
143

Hi Usman,

As keerti has suggested check for standard roles related to SD, make a Z copy of those standard roles and assign it to him in the roles tab of his user profile. I hope you are running on versions above 4.0, hence u need not worry about any profiles, coz its all roles now.

Coming to Menu or any specific list of transactions that he needs to have, then a custom role creatin is the best way. Request the SD team for all the Tcodes that they should be using/required to use for any special activity and include them in a new Z role that can be creatd via PFCG transaction.

Hope this message has helped you in ur quest.

Thanks for any points

Br,

Sri

0 Kudos
143

Hi,

Tahnks for your reply. I have removed the sap_all profile from the user and assign all SAP_SD* role to him but they all are seams to be for forieng trade etc, anyway after asigning the role i test the affect user cant use IMG (as i ave already told you the he is the customizing team member) and even cant perform sales activities.

Please help me what is the exect profiles to use IMG and SD module super users.

Thanks

Usman Rana

0 Kudos
143

Hi Usman,

A search of SAP_SD* would give only foreign trade related roles, but as indicated by Keerthi in the earlier quote,

SAP_LO_SD* would give you a more consolidated list of roles related to SD module.

Hope this helps you and thanks for any points.

Br,

Sri

Former Member
0 Kudos
143

Hi Usman,

To create a IMG role, you will need to do more than just

create a role with SPRO - SPRO just gives access to the

IMG tree. As of 4.6C and above, all of the "nodes" in the IMG have a tcode as well. You will need to create a role which includes these tcodes as well.To do this,

go to PFCG and create a role. From the menu tab, go to

Utilities \ Custom authorization. You will be able

to select a IMG project from here. If you just want the

SD module, then you will have to create a SD specific project in IMG projects so you can select it. This will

include all of the tcodes within the SD module node.

Regards,

JC

0 Kudos
143

I was just going to give you the same answer as JC. This is how I create all of my IMG roles.

0 Kudos
143

A significant part of "messing the system up" in SPRO is controlled by S_TABU_DIS and S_TABU_CLI (which also uses S_TABU_DIS if the table is client independent).

You can to a large extent use these to control the activities which an SD customizer can do.

There are also executable reports and other nasty things in the nodes even if the client or system is "closed" for changes, so you can either use S_PROGRAM or you can get a list of all the transactions and turn the call relationships on for them in SE97 as required.

There are two tables which you need for building a SPRO role based on transaction and the activities / objects they relate to. I am not logged on but if I remember correctly they are CUST_IMGACT and CUST_IMGOBJ or similar.

If you load these and switch the activities to display. Tcodes which end with a ...1 are usually "create", ....2 are usually "edit" and ...3 are usually display etc so you could create a display all SPRO role and then add the SD SPRO role which only brings in the specific differences needed for SD customizing.

There are also auths which in addition to S_TABU_DIS and tcode will determine what a user can do in SPRO IMG. I had such a list somewhere and will see whether I can find it again. Infact I remember seeing that a DISPLAY SPRO role could be downloaded, but I cant remember where that was. Perhaps SAP should make something like that available as a standard role?

For disclosure: I have never built such a module based role for SPRO nor tried to motivate someone else to do it. In my opinion it is much easier to train someone and motivate them to be responsible while having more information about the system than just their little corner of it, and then be a bit pick-and-choosy about who you give SPRO access to.

Auditors might not always like it, but if you point out a few deficiencies in their audit programs then they usually back-off in confusion.

Former Member
0 Kudos
143

Hi Julius,

CUS_ACTOBJ, CUS_ACTH are tables you wanted to mention.

and this is the code to pull all IMG related transactions.

this code was mentioned by John.. I don't remember his full name.

REPORT ZLOADIMGTCODE .

tables: cus_actobj, agr_tcodes, cus_acth.

data: ica like cus_actobj occurs 1000 with header line,

icah like cus_acth occurs 1000 with header line,

iagrtc like agr_tcodes occurs 4000 with header line.

Parameters: p_mandt like sy-mandt.

Start-of-selection

select * from cus_actobj into table ica.

sort ica by tcode.

delete adjacent duplicates from ica comparing tcode.

Select * from cus_acth into table icah.

Sort icah by tcode.

delete adjacent duplicates from icah comparing tcode.

iagrtc-agr_name = 'S:CONFIG_ALL'.

iagrtc-TYPE = 'TR'.

iagrtc-direct = 'X'.

iagrtc-mandt = p_mandt.

loop at ica.

iagrtc-tcode = ica-tcode.

append iagrtc.

endloop.

Loop at icah.

iagrtc-tcode = icah-tcode.

append iagrtc.

Endloop.

iagrtc-tcode = 'SPRO'.

append iagrtc.

Sort iagrtc by tcode.

delete adjacent duplicates from iagrtc comparing tcode.

modify agr_tcodes client specified from table iagrtc.

0 Kudos
143
delete adjacent duplicates from iagrtc comparing tcode. 

Yes, that looks somehow familiar

Cheers and thanks,

Julius

Former Member
0 Kudos
143

Hi Usman,

Your requirement is to create a New Customization Role for SD.

here goes the procedure to create a SD Customization Role :

Step 1 : PFCG - Create a Role (say ZSDCustomize)

Step 2 : You will not find anything in your Menu now

Step 3 : Click on Utilities -


> Customizing auth.

Step 4 : System will promt a Message 'Customising Authorizations' , here you click on ADD Button & Insert the Customizing activities.

Step 5 : click on IMG Project & choose SD from the List & press the tick mark.

Step 6 : Now this will Pull all the Authorizations related to SD Customizing.

Step 7 : Click on Authorizations tab & fill the appropriate values & Generate it.

Step 8 : Finally assign the role to the user

Step 9 : do not forget to do User Comparison.

Step 10 : request the user to logout from SAP & login again for the changes to activate.

I hope this will help you!

Thanx & Regards

Zahed Ali

Dubai