3 weeks ago
Hi there,
I am currently leading the end-to-end implementation of the embedded EWM module. As we approach the cutover phase in the client’s production environment, I have requested broad access permissions to perform certain client-specific technical activities. These activities often involve complex object configurations that do not follow the typical transport order process. Given these requirements, I believe it is necessary to have a temporary, consultant-level user role with SAP_ALL access. However, the client has raised concerns about audit compliance and is hesitant to grant this access.
Is there any official documentation or best practice guideline available that supports the need for extended permissions during critical implementation phases? This would help the client understand the necessity of SAP_ALL for certain technical tasks during cutover and allow us to proceed effectively
Thanks in advance
Request clarification before answering.
Hello @step158
The best practice is to never grant SAP_ALL in production, to no one, under no circumstances, no excuses! Sorry, the customer is right.
I don't understand what kind of "complex object configurations that do not follow the typical transport order process" you need to do with SAP_ALL in production. If they are really so complex and are not transportable, then it means your productive system won't be aligned with your test environment. Therefore you won't be able to test reliably. Something is not right here big time.
Best regards
Dominik Tylczynski
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
2548064 - How to use profile SAP_NEW, role SAP_NEW, and profile SAP_ALL - SAP for Me
Authorization Profile SAP_ALL | SAP Help Portal (Home > SAP NetWeaver Application Server for ABAP 7.52 > User and Role Administration of Application Server ABAP > Reference Documentation for User and Role Administration > Special Authorizations Requiring Protective Measures > Authorization Profile SAP_ALL)
Etc.
Hi Dominik,
This would be for technical activities, specific to the client, that involve the implementation of the S/4HANA embedded EWM module. And there are activities such as:
Creating RFC Destination
RFC Assignment for calls from EWM
Generating distribution model for data transfer transaction to SAP EWM (EWM-S/4 Integration)
Enabling access for RFC communication in Internet Communication Framework (ICF) interfaces
@step158 I'm positive you can do all those settings without SAP_ALL but with proper basis authorizations. I'm not authorization expert so I can't advise exact roles/profiles. However, I've seen EWM deployments done without SAP_ALL.
Mature and security aware organizations use firefighter id concept to temporarily grant elevated privileges in production environments.
User | Count |
---|---|
78 | |
29 | |
9 | |
7 | |
7 | |
7 | |
6 | |
6 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.