Hola que tal, buen día, saben si existe una configuracion para solo visualizar en las transacciones con el perfil sap_all. Me pidieron crear un usuario y agregarle el perfil sap_all pero que solo visualice en las transacciones y no pueda modificar o editar dentro de cada una de ellas.
Agradezco su apoyo y pronta respuesta. Gracias
Saludos cordiales!!
jajajajaja muchas gracias Shadowdancer, ya decía yo que no era algo simple 
Saludos!!
En lo particular no le veo mucho sentido a esto, lo ideal es que aclares con tu jefe el proposito, sin embargo haciendo una pequeña busqueda en la red y encontre esto:
I. Create a Security Role copied from the SAP_ALL Profile
The first thing you’ll need to do is to create a new Single Role with its Authorization Profile copied from the SAP_ALL profile. This will add most, if not all, Authorization Objects into the role. The steps to perform this task are:
Make sure to select the SAP_ALL profile as your template for this role.
II. Modify the Security Role to have only Display permissions
Once you have imported the SAP_ALL template into your role, you will need to make some modifications to it in order to ensure that it provides display only access. As the SAP_ALL profile provides near-complete access to an SAP system, this is an imperative task to perform. Unfortunately, it can also be quite time consuming.
As this Security role is for Display All access, you will need to apply full authorizations for the defined Org. Levels.
Next, drill-down into the Cross-application Authorization Objects (AAAB) Object Class until you find the Authorization Object S_TCODE. Expand this Authorization Object.
As you can see, the S_TCODE Authorization Object has a value of *. This allows for ALL transaction codes to be ran.
From the expanded view of S_TCODE you will need to click the Deactivate button (red minus symbol) to deactivate this Authorization Object, and then click the Delete button (trash can) in order to delete S_TCODE from this role. If you are prompted for the deletion, click “Yes” to continue.
After you have ensured that S_TCODE has been deactivated in the role, you can delete it.
This is an example of what you will need to perform against the vast majority of Authorization Objects in this role.
III. Create a Security Role with the desired Transaction Codes
After you have modified the Display All Authorizations role to no longer have any Create, Change, Modify, etc. permissions within it, you will be able to create separate Security Roles that only provide access to the Transaction Codes that your user(s) need Display All permissions to. Remember the S_TCODE Authorization Object we removed earlier from the other role? We are going to use it within these roles. The following is an example as to how to create one of these “transaction only” roles.
Create a new Single Role, providing it with a descriptive name. In this example, I will use the name ZS_DISPLAY_ALL_BASIS.
Just as how you would create a typical SAP Security Role, you will need to assign the desired Transaction Codes that you want to provide display access to.
In this example, I am adding some SAP BASIS transaction codes.
Just as before, you will need to click on the Authorization tab and then click the “change Authorization Data” button. Again, if you see an informational note, just click the green check-mark to continue.
Just as how you deactivated, and then deleted, the S_TCODE Authorization Object in the previous steps, you will need to do this for every Authorization Object except for S_TCODE.
When you have removed all of the other Authorization Objects, this is what should remain.
Now you can generate your role’s profile, and save it.
Using this process, you should now have a Single Role that contains the vast majority of Authorization Objects within SAP, with the exception of S_TCODE. These Authorization Objects should also all be configured to provide Display permissions, without any form of Create, Change, Modify, etc. You will also have another Single Role that does the opposite by containing only the S_TCODE Authorization Object, with the assigned transaction codes in-place. This role, however, provides no additional permissions.
When you assign both of these Security Roles to an end user, the system will determine what transaction codes they can run via one role, and will determine their level of access (display, if everything was configured correctly) via the other role. Using this methodology allows you to more quickly create Display Only roles, as you will only ever have to create a Single Role containing the necessary transaction codes (remembering to always remove the excess Authorization Objects from the role). After creating the role containing S_TCODE, you can just assign this new role and the previously created ZS_DISPLAY_ALL_AUTHS role.
Fuente: ht_p://www.cryptohax.com/2014/04/sap-admin-tips-creating-display-all.html
Gracias mi estimado Shadowdancer tu respuesta me abrió mas el panorama sobre esta solicitud 
Saludos!!
Hola @cucho se puede pero da un poco de flojera realizarlo… seria crear un rol por medio de la pfcg con todos los todos los objetos de autorización(su03)-- luego que los agregas los objeto de autorización manualmente al rol, tienes que delimitar todos estos objetos que contengan el campo actividad por la (visualizar) y listo esto te da un sap_all en modo solo visualizar.
Saludos
@Josh
no es algo recomendable de realizar, ya que tendrias que revisar los objetos de autorizacion para cada una de las transacciones sap, la pregunta es
¿como te aseguras que a cada transaccion que le das acceso “solo para visualizar” pueda finalmente no modificar nada?
para nada recomendable…
Este tema se cerró automáticamente 7 días después del último post. No se permiten nuevas respuestas.