Sometimes I come across roles within the SAP system that are setup and assigned as a display role. However, when further analyzing the roles it seems that the roles are not really display roles (any more). The first focus while setting up display roles is probably removing the non display ACTVT values for the corresponding authorization objects. The list of ACTVT values and meaning of the values can be found in table TACT.

No * value  and no non-display values should be given to the ACTVT value in a display. This seems logical, but sometimes only the 01 and 02 values are removed and the other critical (*) values are forgotten.

ACTVT is used by many authorizations object. The list of these objects can be found in table TACTZ.

ACTVT however is not the only authorization field that should be changed to display values, there are others as well like PPFCODE, AUTHC in HR and JOBACTION in Basis. Make sure the values that are assigned to the object fields are really only display. And while testing the role, make sure you perform both positive and negative testing.

And last, if you assign multiple  roles to one user, make sure the combination of the display role and non display roles gives not broad access rights.

To report this post you need to login first.

8 Comments

You must be Logged on to comment or reply to a post.

  1. Pavan Maddipatla

    Hi Meta

    Guide me if i am wrong, I think 99% of the tyms display roles should have only 03 activity

    for display but not any other value.

    There may be very instances , we need few other activities to support the display

    (0) 
    1. meta hoetjes Post author

      Hi Pavan,

      For the ACTVT value it is indeed quite clear which values should (and should not) be in. 03- display but sometimes also 04 – print, 08- display change documents,…… it depends on the underlying objects and transactions. However there are some modules that are a bit different then the “standards modules”. An example is HR. because of the sensitive data in a HR system I would always recommend to set up seperate HR specific roles, also for display. In HR the object field AUTHC has no number values like ACTVT but letter values instead. Here the letter R is read.

      I recommend creating display roles with only real display transactions in it. For example MM03 – display material master data.

      (0) 
  2. Daniel Alejandro Kapala

    Hi Meta,

    What about if there are 2 roles that share an authorization object as below:

    Role 1 (Display only)

    Tcode: VL06

    Aut Obj: V_LIKP_VST

    ACTVT 03

    Role 2 (Update)

    Tcodes: others

    Aut Obj: V_LIKP_VST

    ACTVT 02

    User A has both roles so that combination will grant update access to VL06 to the user because both roles share the same authorization object. It means Role 2 makes VL06 tcode from Role 1 as an update Tcode.

    Is there a way to avoid Role 1 become an update role with a combination with an authorization object from another role that has activity 02 checked?

    I much appreciate your comments.

    Thanks.

    Daniel.

    (0) 
    1. meta hoetjes Post author

      Hi Daniel,

      With the standard SAP way of working there is no way to solve this unfortunately.

      Accumulation of access rights is always difficult to tackle.

      Kind regards,

      Meta

      (0) 
  3. Maria Jhiosa Vergara

    Hi Meta,

    I am currently planning to adapt SAP_ALL authorization profile by making a sap_all display-only ROLE because it is a request from the infrastructure team. This will be my first time to do this. Whta recommendations can you give me upon creating this role? Are there limitations, what things should I consider?

    Thank you.

    Maria

    (0) 
    1. meta hoetjes Post author

      Hi maria,

      This indeed can be a difficult task, esp. when this display role will be combined with non display roles. You can start by setting up a display rolw tih only display transactions and authorizations, but even then accumulation of access rights can lead to unwanted access.

      Therefore I would recommend to set up the role, and analyze on role level (first) and user level second if accumulation of access rights are occuring.

      I hope this helps!

      Kind regards,

      Meta Hoetjes

      <commercial spam removed by moderator>

      (0) 

Leave a Reply