Question:
Hi,
I'm looking for best practices and examples of profiles for customizing. Only thing is, it can't be SAP_ALL. and i'd like to exclude system administration and client administration from the authorizations.
Tips? tricks?
Thnx for any help.
Answer:
You will have to create an IMG role. You can do this in PFCG after you set up a project in the IMG(SPRO) create ONE rIMG role with the Basis and Security stuff removed ( look att he objects not tcodes). If you do no give the configureres all the IMG access they will find the wrong way to configure the system.
Search thsi site for a program to load all the IMG tcodes into a role if you want to speed the process.
Answer:
This is the best way to do that.
1. create a copy of SAP_all
2. selectively remove all basis and security authority (except for view mode
3. restrict S_TABU_DIS so they can't maintain tables in authorization group SS
4. make selected other restrictions based on your experience and good consulting advice
Don't do transaction code restrictions. Anybody worth hiring as a developer/configurer cn beat them in a development system.
Tell everybody to behave and if they don't promise to get them fired.
Sit back and focus on real risks