Anyone can advise on what profile or role I should assign to my consultants, for them to display the customizing in production?
 

=== 1. There are no SAP-roles for customizing (update or display).

2. You can create a customizing role in PFCG:
in the menu tab utilities/customizing auth; you can use a project IMG (maintainable in SPRO) to restrict the authorizations for example to FI or CO.

As the roles can get pretty big it is quite a lot of work to check the generated authorizations and to limit them if necessary (e.g. only display) and to delete authorizations which certain users (e.g. consultants) do not need. This is especially important if they have other roles which in combination may allow "unwanted access" to certain things.

What is basically necessary for customizing display is SM30, S_TABU_DIS for the relevant authorization groups (activity 03) plus if you want to read the tables out of the IMG the relevant S_TCODE-authorizations. Additionally many transactions require various other authorization objects (which are generated out of SU24 - which is not "100% accurate" as SAP states).
 

=== We use version 3.1. but there is no posting in any web site suitable for creating IMG All display only profile for Ver 3.1
Can any one please share there knowledge.
 

=== The 3.1 version I beleive is a different structure than the higher versions so I am not sure the CUST_ACTOBJ table exists. You will have to debut the IMG to find the source where the tcodes are housed. There are MANY transactions associated with the IMG and S_TABU_DIS is only a part.
Version 3.i is VERY difficult to use to get SU24 to load the role so you can make a display IMG.
It would be simplet to copy SAP_ALL and change the activities to '03'.
 

=== But even in SAP_ALL the customizing for IMG (S_IMG_ACTV) object value is only having Change or nothing..!! There is no option to display... their are few more objects like this. If I dont have any value selected, the profile is not be effective. Nothing can be done. Any more suggestions..
 

=== And S_IMG_ACTV means very little. You can configure with or without it and since configuration is tcode driven and accessable anywhere in the system. You have to give S_IMG_ACTV '02', it means little
 

=== I beleive you need S_IMG_GENE to actually change the config. We have two roles (4.6C) ... one for display only and one for changing.
 

=== Create f.ex a role "CUSTOMIZING" and run the following ABAP.
It will bring to your role all SPRO tarnsactions. Then go through the auth objects and change them display only. This way you'll have a display only role.

REPORT ZTCODES .
tables: cus_actobj, agr_tcodes.
data: ica like cus_actobj occurs 1000 with header line,
iagrtc like agr_tcodes occurs 4000 with header line.
select * from cus_actobj into table ica.
sort ica by tcode.
delete adjacent duplicates from ica comparing tcode.
iagrtc-agr_name = 'CUSTOMIZING'.
iagrtc-TYPE = 'TR'.
iagrtc-direct = 'X'.
loop at ica.
iagrtc-tcode = ica-tcode.
append iagrtc.
endloop.
modify agr_tcodes from table iagrtc.

Note, there is another table cus_acth as well that you load into your internal table and you need to add a sort tcodes and delete adjacent duplicated. then load to your role.

Read also:
Names of  SAP Standard Admin Jobs

SAP Basis Reference Books:
SAP Basis Components, System Administration, Security, ALE and iDoc Books

Back to Basis Menu:
SAP BC (Basis Components) Hints and Tips

Return to :-
SAP ABAP/4 Programming, Basis Administration, Configuration Hints and Tips