Hi,
This document contain "How to Use SAP_ALL without SPRO", For this process we must copy the 'SAP_ALL' profile first don't do anything in the default 'SAP_ALL' profile.
So First we copy 'SAP_ALL' to 'Z_COPY_SAPLL'
For coping a profile, first goto the transaction PFCG
Save the values.
After save the values must Generate the Profile and add the 'Role' to the users.
This document contain "How to Use SAP_ALL without SPRO", For this process we must copy the 'SAP_ALL' profile first don't do anything in the default 'SAP_ALL' profile.
So First we copy 'SAP_ALL' to 'Z_COPY_SAPLL'
For coping a profile, first goto the transaction PFCG
Type a Role name and create it using 'Single Role'
After menu tab, click on the 'Authorization' tab,
First click on 'Propose Profile Name' icon. It gave the 'Role' to profile name.
Then click on 'Expert Mode for Profile Generation' icon (Mark on figure as 2)
In opened windows, Goto to 'Edit------> Insert Authorization------> From Profile
Chose Yes
The 'SAP_ALL' profile copied to the 'Z_COPY_SAPALL' is completed.
We have to 'Generate' the profile for the New Role (Z_COPY_SAPALL)
Next disable the "SPRO", so find the Authorization Object 'S_TCODE'
It results the authorization object values, Click on the Pencil
Added the 'object values as shown in above figure,
A* - SPRN*
SPRP* - Z*
Save the values.
When try to access he Tcode 'SPRO' shows the above massage,It means the process completed successfully.
After assign this role is any authorization is missing, please find through 'SU53' and add the values of the Role .
User may not able to access SPRO transaction but he will be allowed to open all Config Transaction Code directly with full access. Most of the user use direct transaction code instead of choosing way through SPRO.
ReplyDeleteIf you really want to block SPRO access you should disable change permission in SM30 View.
Hi Hims,
DeleteSome time SAP_ALL profile may be added to some people so that time SPRO disabling is a better option so it does not affect the Configurations, not only SPRO we can disable any Specific Tcode from SAP_ALL, any other Role, Any other Copy of SAP stranded Role...
Really good info. Its help.
ReplyDeleteThank you very much for publishing.
How can I get this one ( A* - SPRN* ) for other tcode's
ReplyDelete