Hi Rableen,
- You should definitely not have users with SAP_ALL in the “Productive Client”.
- Please create a role from SAP_ALL template and remove access to most of the business transactions,
deactivate authorization objects for HR and assign this role to the System Administrators. If more access is required, then it should be via FireFighters, the usage logs of which can be audited. - SAP* & DDIC will need wider access and in all the projects I’ve worked in, I’ve had these 2 users with SAP_ALL in Clients 000, 001 & 066 ( If you have the time you can restrict by assigning only the minimum
required![]()
) - In the screenshot you have provided, your “Productive” client is either 400 or 500, in either of the cases as a first step, I would start working to bring this number to zero.
)Best Regards,
Savitha