cancel
Showing results for 
Search instead for 
Did you mean: 

Best practices using SAP_ALL for implementations

step158
Discoverer
0 Kudos
292

Hi there, 

I am currently leading the end-to-end implementation of the embedded EWM module. As we approach the cutover phase in the client’s production environment, I have requested broad access permissions to perform certain client-specific technical activities. These activities often involve complex object configurations that do not follow the typical transport order process. Given these requirements, I believe it is necessary to have a temporary, consultant-level user role with SAP_ALL access. However, the client has raised concerns about audit compliance and is hesitant to grant this access.

Is there any official documentation or best practice guideline available that supports the need for extended permissions during critical implementation phases? This would help the client understand the necessity of SAP_ALL for certain technical tasks during cutover and allow us to proceed effectively

Thanks in advance

 

 

View Entire Topic
DominikTylczyn
Active Contributor

Hello @step158 

The best practice is to never grant SAP_ALL in production, to no one, under no circumstances, no excuses! Sorry, the customer is right.

I don't understand what kind of "complex object configurations that do not follow the typical transport order process" you need to do with SAP_ALL in production. If they are really so complex and are not transportable, then it means your productive system won't be aligned with your test environment. Therefore you won't be able to test reliably. Something is not right here big time.

Best regards

Dominik Tylczynski

Ryan-Crosby
Active Contributor
Sandra_Rossi
Active Contributor

2548064 - How to use profile SAP_NEW, role SAP_NEW, and profile SAP_ALL - SAP for Me

Authorization Profile SAP_ALL | SAP Help Portal (Home > SAP NetWeaver Application Server for ABAP 7.52 > User and Role Administration of Application Server ABAP > Reference Documentation for User and Role Administration > Special Authorizations Requiring Protective Measures > Authorization Profile SAP_ALL)

Etc.

step158
Discoverer
0 Kudos

Hi Dominik,

This would be for technical activities, specific to the client, that involve the implementation of the S/4HANA embedded EWM module. And there are activities such as:
Creating RFC Destination
RFC Assignment for calls from EWM
Generating distribution model for data transfer transaction to SAP EWM (EWM-S/4 Integration)
Enabling access for RFC communication in Internet Communication Framework (ICF) interfaces

DominikTylczyn
Active Contributor

@step158 I'm positive you can do all those settings without SAP_ALL but with proper basis authorizations. I'm not authorization expert so I can't advise exact roles/profiles. However, I've seen EWM deployments done without SAP_ALL.

Mature and security aware organizations use firefighter id concept to temporarily grant elevated privileges in production environments.