Tuesday 12 July 2016

SAP_ALL profile without SPRO

Hi,

This document contain "How to Use SAP_ALL without SPRO", For this process we must copy the 'SAP_ALL' profile first don't do anything in the default 'SAP_ALL' profile.

So First we copy 'SAP_ALL' to 'Z_COPY_SAPLL'

For coping a profile, first goto the transaction PFCG 

                                      

Type a Role name and create it using 'Single Role'                                                                                  

                                      

After menu tab, click on the 'Authorization' tab,                                                                                      
First click on 'Propose Profile Name' icon. It gave the 'Role' to profile name.                                          
Then click on 'Expert Mode for Profile Generation' icon (Mark on figure as 2)                                   
                          

                                     

In opened windows, Goto to 'Edit------> Insert Authorization------> From Profile                                    
                                     

Chose Yes                                                                                                                                                  


                                     

The 'SAP_ALL' profile copied to the 'Z_COPY_SAPALL' is completed.                                                  
                                       
We have to 'Generate'  the profile for the New Role (Z_COPY_SAPALL)                                                                
                                       

Next  disable the "SPRO", so find the Authorization Object 'S_TCODE'                                                    

                                       

It results the authorization object values, Click on the Pencil                                                                     

                                       

Added the 'object values as shown in above figure,                                                                                    
 A* - SPRN* 
SPRP* - Z* 

Save the values.

                                       

 After save the values must Generate the Profile and add the 'Role' to the users.

                                     

When try to access he Tcode 'SPRO' shows the above massage,It means the process completed             successfully.                                                                                                                                                    
After assign this role is any authorization is missing, please find through 'SU53' and add the values of  the Role .                                                                                                                                                      

  



Share this

4 Responses to "SAP_ALL profile without SPRO"

  1. User may not able to access SPRO transaction but he will be allowed to open all Config Transaction Code directly with full access. Most of the user use direct transaction code instead of choosing way through SPRO.
    If you really want to block SPRO access you should disable change permission in SM30 View.

    ReplyDelete
    Replies
    1. Hi Hims,

      Some time SAP_ALL profile may be added to some people so that time SPRO disabling is a better option so it does not affect the Configurations, not only SPRO we can disable any Specific Tcode from SAP_ALL, any other Role, Any other Copy of SAP stranded Role...

      Delete
  2. Really good info. Its help.
    Thank you very much for publishing.

    ReplyDelete
  3. How can I get this one ( A* - SPRN* ) for other tcode's

    ReplyDelete