Because SAP_ALL is so 2004.
Many organizations are still struggling with the implementation of their SAP authorization concept. It is a major challenge to keep it simple, functional, but above all manageable and transparent.
Transparency is also required in the case of external auditing. The protection of confidential information as well as Segregation Of Duty (SOD) and unauthorized use of task roles must also be given a prominent place in the layered SAP authorization concept. Every role concept within SAP is a dynamic whole. You always add pieces of authorization, change and delete them. If "the need is the man", for example with a high priority change, people often switch to an emergency user because of the speed offered.
Go for a TOF model!
An emergency user is a user with very many rights, for a limited period, usually FireFighter or SAP_ALL.
With SAP_ALL in particular, one has all rights and is also able, temporarily, to build in an unsecured back door. Checking and accountability for the use of SAP_ALL, unfortunately it is rarely done afterwards in practice.
This is one of the reasons why newITera explicitly sends to replace SAP_ALL with the TOF model.
The TOF Model (Transaction Objects Functional Building Blocks) does not work with the build-up principle, but the run-down principle. It is a SAP_ALL authorization with very specific exclusions. This TOF model is more or less a must for financial organizations!
This allows high rights to be issued with the exception of very specific dangerous rights.
Replace your SAP_ALL for;
- SAP_ALL technical. Without users, roles, financial transactions and other business operations; the managers cannot transfer money;
- SAP_ALL functional. All functional rights without users, roles, customizing changes, opening the system, RFC connections, Database; the functional administrators cannot change the system or create a backdoor user.
- Local functional SAP_ALL. Insensitive to being taken over by another system. Can be used as a batch user;
- Segmented functional SAP_ALL.. Functional SAP_ALL for just a single company. Often used for a firefighter for a single company.
- For interfaces. No transactions can be executed, only function blocks.