Question:
We have an internal request to create a role that has access to all display and report transactions. Is there a pre-built role or profile as such? Is there a comprehensive display/report transaction listing?
Any advise is appreciated.
_________________
Regards,
Scott
Answer:
Offcourse there is not such a thing as it is an illegal request that we see often.
From a functional point of view there is NEVER a sound reason for anyoine having such an access, the people who have enough power to have this request honored, have no clue what the should do with all the info available.
People who request such a thing demonstrate that they do not understnd anything about what SAP is meant for!!!!
Answer:
It's hardly an illegal request... Sometimes it can be required. For example Auditors could require something like that. But there are no ready made roles for this, as far as I'm aware.
Answer:
The purpose behind the request is for Development review. We live in a validated environment and only grant access to transactions that have been tested and documented. We need to provide our users an environment where they can explore all data reports prior to introducing these transactions in our live environment.
We have just gone live. Our users are still trying to find the best sources of data to meet their needs.
_________________
Regards,
Scott
Answer:
about the worst argument i have ever heard for this access. Especially your Users should ONLY get access to SAP through the tested roles. As it is not a technical thing it is about processes as they have been designed during the implementation. No user should be allowed to see or work with any transaction that is not in scope of the process design!!
Next to teh principal argument aforementioned it is even dangerous, as there are processes in SAP that can be perofrmed with different TRX and dependent on teh TRX chosen differbnet tables are being used, so allowing to see all can result in incomplete information as the tables accessed might not contain all the information requested.
This is why an implementation is allways a good team up between business and SAP technical consultants.
Henrik the same arguments go for Auditors, they should know what they do, so can provide you with a list of TRX(reports) they need/want to see. Allowing them to see all might lead to wrong conclusions as aforementioned.
Auditors who are not able to provide you with that list obviously do not know what they do and thus should not be trusted
Answer:
Auke, I will respectfully disagree with you on that one... Why would too much access make an auditor make wrong conclusions? I have been on both sides, and you never know where the audit will take you. You might find something that looks odd, and want to drill deeper into it. So you can ask for display_all up front, or sit around and wait for the proper access to be approved, build, tested, transported, assigned. And in a regulated environment that can easily be two to three days...
I do agree that all users have only the access they need. They should not go exploring, as they might find something they think is fantastic, but in real life it will give wrong results as the particular area has not been configured...
Answer:
In answer to the original question ....
There is no such role delivered by SAP. You have to build one yourself.
My reccomendadtion is that instead of building one display-all role, you build them by functional area. e.g. SD_Display_all, FI_display_All, etc.
This way, if someone needs everything, you give all the roles, but someone only needs, say, FI access, but not HR, you just give the FI role.
_________________
To err is human - to really foul things up, you need security access.