SAP_ALL profile is a composite profile which gives almost full access and should only be assigned to administrators for emergency access. As a best practice, it is always advised to create roles for administrators with S_* objects which give the necessary access for administration and prevents them from accessing any critical data like HR related information.
You can generate SAP_ALL profile in the following scenarios:
- A new customer-specific authorization object is created. The system regenerates SAP_ALL and updates SAP_ALL profile with the newly created authorization object (condition to – In PRGN_CUST table, attribute value for switch ‘SAP_ALL_GENERATION’ is not set to ‘OFF’; otherwise you will have to manual regenerate SAP_ALL profile).
- After system is upgraded to new release.
- After every support pack import, provided that the support pack contains new authorization objects
SAP_ALL profile can be manually regenerated using report RSUSR406 or via tcode SU21. This regenerates SAP_ALL profile only in the client where this report is executed.
SAP_ALL profile can also be generated using report AGR_REGENERATE_SAP_ALL in client 000. It regenerates SAP_ALL in all the clients.