In some situations it might be useful to have a role or profile that only allows the data display.
It is available in SAP something that could answer this request? Is there a SAP_ALL profile for each SAP application component?
Why would you need that?
It could be useful, for example in these situations, not necessarily in production environment.
- System analysis by external users, continuous or sporadic.
- Roles for external consultants who must carry out continuous support
- In these cases it is useful to think also about SAP Field Masking or
- Emergency Access Management solutions (see the product SAP GRC), in the case of having to carry out modification activities in the production environment as verification result
- Access for auditors or audit. Although in this case it isn't recommended to release such wide accesses. Usually ad hoc roles are built with only the transactions necessary to perform the auditor or internal audit role.
In this case the role in visualization only would have to allow the access to all the functionalities of SAP (potentially to all transactions) but with read-only feature.
This kind of role should therefore be assigned on a case-by-case basis and not in addition to other operational roles, this could extend the authorizations already present to the user.
Did it exist in the past?
Yes, in the past, there was a profile allowing read-only access to SAP.
Through the note OSS "1752430 SAP_ALL_DISPLAY role does not exist anymore" (or more recent 2988529 - Does a SAP_ALL "display-only" role exist?), currently no longer available in OSS this profile has been removed. See also OSS "2988529 - SAP ALL DISPLAY"
No explanations are given but probably the complexity of the system, to ensure that this profile is actually display-only, the latest regulations, for example GDPR, for personal data protection, have led to this decision.
Now how could you do that?
The simplest solution is to, starting from the SAP_ALL profile, modify all the authorizations so that they are in display only.
Once inside a role (tab Authorization) is possible to select the profile SAP_ALL as template.
Doing so all SAP_ALL profile permissions will be inserted in ZSAP_ALL_DISPLAY role.
Now all that remains is to go into every authorization object and:
- In the activity field (ACTVT) insert only display tasks, you can check what the display-only activities are also through the table TACT (Activities which can be Protected). Attention, is not immediate, you will need to customize, depending on the SAP release, from 2500 to almost 3000 objects. The authorization objects that contain the field activities are in fact so many.
- Objects that do not have ACTVT field should be deactivated
Focus Points
Unfortunately it is not that simple, although the above may be laborious, it is possible. There are, in fact, some special cases that need to be handled and treated properly. Some of these are the following.
- There are not only objects with the ACTVT activity field , there are some similar fields which are not exactly called ACTVT. Searching through the SU20 transaction (list of authorized fields defined by system) with *ACT* string the result is that 190 fields (the number can change depending on release) could be similar to ACTVT field, these must also be managed
- Not all fields containing the concept of SAP activity may be similar to ACTVT or similar. For example, within the HR module, taking the object P_ORGIN, the field that governs the activity of the object is the AUTHC where the possible values are:
- R Read
- M Match Code
- W Write
- E,S, and * for the other activities
- Another case, for the financial, is the object F_REGU_BUK - Automatic Payment: Activity Authorization for Company Codes, in this instance through the field FBTCH is possible to define if the payment (F110 transaction) shall only be displayed, either proposed or actual. The possible values are as follows:
- Attention to custom, may not have sufficient authorization controls
- Standard SAP bugs cannot be excluded, bugs that allow even in display only access in operating mode
Is it possible to generate a SAP_ALL per SAP module?
Even if we are not talking about a display only role, yes, it is possible. Through the program REGENERATE_SAP_APP. See also OSS note 1703299 - Generation of SAP_APP.
You could choose whether to exclude BASIS and HR or other objects. The result will be the profile or the SAP_ALL role for the selected application component.
Blog post originally translated from: https://www.aglea.com/blog/sap_all-in-sola-visualizzazione-esiste