This blog contains experience gained over the years of implementing (and de-implementing) large scale IT applications/software.

Tag: Roles

SAP_ALL modified role

Have you got a SAP Development system where the developers insist they have SAP_ALL, but you know this is just wrong.

Well, here’s a neat solution that removes certain authorisations like user admin in SU01 and adjusting auditing (SM19), RFC admin (SM59) etc.

Using transaction PFCG, create a new single role.
Add a description and save the role.
On the Authorisations tab generate a new profile and then edit the authorisations “Change Authorization Data“.
Do not select any Templates.
From the “Authorizations” screen, select “Edit -> Insert Authorization(s) -> from profile…“.
On the popup, enter profile “SAP_ALL”.

Now adjust the profile as required.
I usually adjust the following authorisation objects:

S_ADMI_FCD – BTCH, FONT, SM21, SP01
S_OSS1_CTL – 16
S_USER_AGR – 03, 08
S_USER_AUT – 03, 08
S_USER_GRP – 03, 08
S_USER_OBJ – [NO AUTH]
S_USER_PRO – 03, 08
S_USER_SAS – [NO AUTH]
S_USER_SYS – 03
s_XMB_ACT – [DEPENDS ON USAGE OF XI/PI]
S_TRANSPRT – [CREATE TASKS, SEPARATE ROLE FOR CREATE TRANSPORTS]
S_IDOCPART – 03
S_IDOCPORT – 03
S_SCD0 – 08, 12

You can then save and assign the role to the developers.

SAP Users With Roles Not Assigned via Composite Roles

Have you ever needed to list SAP roles that are assigned to user accounts, but show only the single roles that are directly assigned (not single roles inherited through composite roles)?

Here’s how you can do it:
Using SE16, get the records from AGR_USERS table with field COL_FLAG=’ ‘

Relate this to USR02 table BNAME field to decide if the user account is locked (valid) or not in use anymore.

I’ve also discovered this can be done in transaction S_BCE_68001394 (Users by User ID).  You just input * into the user ID field, execute the report and then sort the two columns for “Direct Assignment” and “Role Type”.  This will give you the Single roles assigned directly.