SAP Security - A sample to create ZSAP_ALL display only (Role) [ABAP AS only]

Hi Guys,

This is my first document for SAP Security. I am new to this community and wishing a good time in SCN-SAP.

The document contains how to create a Role for the Display only user. A display only user can only view all the T-Codes but cannot create or edit/change anything in the system. This is accordingly created with requirements of the client(customer) you are working for.

First of all an example like, some companies/clients don't want the 'display only' user to view the HR Transactions. Those Transaction codes should be restricted in the Role by selecting an SAP_ALL template and then open the S_TCODE object, remove the full authorization and select ranges 'from' & 'to'.

Ranges example: You need to restrict these T-Codes(HR) in the list.

Select Range : (Type the ones that should be allowed and remove the ones that are needed to be restricted)

In From and To ranges in S_TCODE object

Remove the asterisk.

Insert

'From'   /*             (transactions also start with /  )

'From'  0*  'To'  9*

From A* to N*

( Now suppose you have to restrict OOSP, OOSB, OOAW, OOAC : Sort them in dictionary wise, it is as follows in dictionary wise:

OOAC, OOAW, OOSB, OOSP)

From N*       to OOAB  (Here OOAC is restricted

From OOAD to OOAV ( Here OOAW is restricted)

From OOAX to OOSA (Here OOSB is restricted)

From OOSC to OOSO (Here OOSP is restricted)

From OOPQ to PP00 (Here PP01 is restricted)

Now restrict the T-Codes starting with P as shown in the HR T-Code list Dictionary wise.

** Removing the Create/Change rights of the display only user.(Creating the DISPLAY ONLY Role)

After you select the SAP_ALL template, give the Organization levels as full authorization (according to your requirement).

Restrict the T-Codes according to the ranges as shown above.

Now, the Objects may be in thousands so they are having '*' asterisk value, removing the * and selecting only 03 as display field may take days for those thousands of objects.

Download  the Role as a Local file in excel sheet(delimited type).

Open the sheet and Find/Select AGR_1251 in the excel sheet and find the ACTVT    * and  replace it with ACTVT    03

Save the file as other file *.txt and upload as it is. (Overwrite the file) and check the Role Activity fields.

Display only is given for all the ACTVT fields in Objects.

What actually happens is the AGR_1251 table has the create/change/display Activities, we are removing the asterisk(Full Authorization) and replacing it with only display.

** I have created a document for the creation of SAP_ALL DISPLAY ONLY user, please find the link below:

SAP_ALL DISPLAY Role Document v2.0.docx - Google Drive

-Cheers

Rakesh Kumar Vudigala

BASIS.