April 30, 2014

If you've worked within SAP Security for a while, chances are that at some point a request may have been brought up for "Display Only" access within one of your systems. This may have been requested by auditors, configurators, consultants, or even a really "needy" end user. Whatever the reason may be for it, you may have pondered how best to create such a role. In the following post, I will go over the process that has worked best for me in my current environment in order to tackle this particular request. This is by no means the only way to perform this, nor is it necessarily the "best" way. It is merely what I've found to work, and what I prefer.

I. Create a Security Role copied from the SAP_ALL Profile
The first thing you'll need to do is to create a new Single Role with its Authorization Profile copied from the SAP_ALL profile. This will add most, if not all, Authorization Objects into the role. The steps to perform this task are:

1. Using transaction code PFCG, create a new Single Role. For mine, I used the name ZS_DISPLAY_ALL_AUTHS.
2. Click the Authorizations tab, selecting "Yes" to save the role first.
3. From the Authorizations tab, click the "change Authorization Data" button. If you see an informational note, just click the green check-mark to continue.
4. As you haven't added any Transaction Codes to the role, the system should now be prompting you to select a template for the role. For this, you will need to select the SAP_ALL template, and then click the "Adopt reference" button.

Make sure to select the SAP_ALL profile as your template for this role.

5. If you are prompted to insert all authorizations, click "Yes." This may take a few minutes, and will be followed by another prompt. As before, just click the green check-mark to continue.

II. Modify the Security Role to have only Display permissions
Once you have imported the SAP_ALL template into your role, you will need to make some modifications to it in order to ensure that it provides display only access. As the SAP_ALL profile provides near-complete access to an SAP system, this is an imperative task to perform. Unfortunately, it can also be quite time consuming.

1. First, you will need to click on the Organization Levels button in order to edit what Org. Levels are defined within this role.
2. Click on the "Full authorization" button and then save your changes.

As this Security role is for Display All access, you will need to apply full authorizations for the defined Org. Levels.

3. Next, drill-down into the Cross-application Authorization Objects (AAAB) Object Class until you find the Authorization Object S_TCODE. Expand this Authorization Object.
As you can see, the S_TCODE Authorization Object has a value of *. This allows for ALL transaction codes to be ran.

4. From the expanded view of S_TCODE you will need to click the Deactivate button (red minus symbol) to deactivate this Authorization Object, and then click the Delete button (trash can) in order to delete S_TCODE from this role. If you are prompted for the deletion, click "Yes" to continue.

After you have ensured that S_TCODE has been deactivated in the role, you can delete it.

5. Once the S_TCODE Authorization Object has been removed, you will need to manually go through each Authorization Object in the role and change the ACTVT values to reflect the display only design of this role. This can take quite a while, and it is highly recommended to save frequently as you work. When you are finished, ensure that the Profile is generated and you can begin the next step.

This is an example of what you will need to perform against the vast majority of Authorization Objects in this role.

III. Create a Security Role with the desired Transaction Codes
After you have modified the Display All Authorizations role to no longer have any Create, Change, Modify, etc. permissions within it, you will be able to create separate Security Roles that only provide access to the Transaction Codes that your user(s) need Display All permissions to. Remember the S_TCODE Authorization Object we removed earlier from the other role? We are going to use it within these roles. The following is an example as to how to create one of these "transaction only" roles.

1. Create a new Single Role, providing it with a descriptive name. In this example, I will use the name ZS_DISPLAY_ALL_BASIS.
2. Just as how you would create a typical SAP Security Role, you will need to assign the desired Transaction Codes that you want to provide display access to.
In this example, I am adding some SAP BASIS transaction codes.

3. Just as before, you will need to click on the Authorization tab and then click the "change Authorization Data" button. Again, if you see an informational note, just click the green check-mark to continue.
4. Just as how you deactivated, and then deleted, the S_TCODE Authorization Object in the previous steps, you will need to do this for every Authorization Object except for S_TCODE.
When you have removed all of the other Authorization Objects, this is what should remain.

5. Now you can generate your role's profile, and save it.

Using this process, you should now have a Single Role that contains the vast majority of Authorization Objects within SAP, with the exception of S_TCODE. These Authorization Objects should also all be configured to provide Display permissions, without any form of Create, Change, Modify, etc. You will also have another Single Role that does the opposite by containing only the S_TCODE Authorization Object, with the assigned transaction codes in-place. This role, however, provides no additional permissions.

When you assign both of these Security Roles to an end user, the system will determine what transaction codes they can run via one role, and will determine their level of access (display, if everything was configured correctly) via the other role. Using this methodology allows you to more quickly create Display Only roles, as you will only ever have to create a Single Role containing the necessary transaction codes (remembering to always remove the excess Authorization Objects from the role). After creating the role containing S_TCODE, you can just assign this new role and the previously created ZS_DISPLAY_ALL_AUTHS role.
Subscribe to RSS Feed Follow me on Twitter!