This blog contains experience gained over the years of implementing (and de-implementing) large scale IT applications/software.

Tag: Development

SAP_ALL modified role

Have you got a SAP Development system where the developers insist they have SAP_ALL, but you know this is just wrong.

Well, here’s a neat solution that removes certain authorisations like user admin in SU01 and adjusting auditing (SM19), RFC admin (SM59) etc.

Using transaction PFCG, create a new single role.
Add a description and save the role.
On the Authorisations tab generate a new profile and then edit the authorisations “Change Authorization Data“.
Do not select any Templates.
From the “Authorizations” screen, select “Edit -> Insert Authorization(s) -> from profile…“.
On the popup, enter profile “SAP_ALL”.

Now adjust the profile as required.
I usually adjust the following authorisation objects:

S_ADMI_FCD – BTCH, FONT, SM21, SP01
S_OSS1_CTL – 16
S_USER_AGR – 03, 08
S_USER_AUT – 03, 08
S_USER_GRP – 03, 08
S_USER_OBJ – [NO AUTH]
S_USER_PRO – 03, 08
S_USER_SAS – [NO AUTH]
S_USER_SYS – 03
s_XMB_ACT – [DEPENDS ON USAGE OF XI/PI]
S_TRANSPRT – [CREATE TASKS, SEPARATE ROLE FOR CREATE TRANSPORTS]
S_IDOCPART – 03
S_IDOCPORT – 03
S_SCD0 – 08, 12

You can then save and assign the role to the developers.