SAP Authorizations Customise evaluation paths in SAP CRM for indirect role mapping - SAP Basis

Direkt zum Seiteninhalt
Customise evaluation paths in SAP CRM for indirect role mapping
Context-dependent authorizations
When you create users in the SU01 transaction, do you want to automatically pre-occupy certain fields from a data source? Use a new BAdI for which we present an implementation example. If you create a user in the SU01 transaction in an SAP system, there is almost always data about that user in other systems. A classic example is user data in the Active Directory or the personnel master data in SAP ERP HCM, which are already maintained as part of the employee recruitment process. If user data is present in multiple systems, then the first choice is to automatically create a user through an identity management system, which is resolved by an HR trigger in SAP Identity Management (ID Management). ID Management detects changes, such as personnel master data, SAP ERP HCM, or business partners in SAP CRM, and either applies the appropriate users in your systems or makes changes and deactivations. But what if you don't have an identity management system in place? Do you need to type all of this data? No - you can pre-document them automatically. You can use a Business Add-in (BAdI), which allows you to pre-define certain fields when you create a user in the SU01 transaction.

If you set the profile parameter dynamically, no users are logged out of the application server. You can prepare maintenance work in good time. The value 2 in the profile parameter does not prevent the login with the emergency user SAP*, if this is not set as user master record and the profile parameter login/no_automatic_user_sapstar is set to 0. You can also change the value of the parameter again at the operating system level. For details on the SAP user, see Tip 91, "Handling the default users and their initial passwords".
Integrate S_TABU_NAM into a Permission Concept
You have now successfully recorded the blueprint. Now the slightly trickier part follows: The identification of the values to be changed at mass execution. In the editor of your test configuration, at the bottom of the text box, is the record you have created: TCD ( PFCG , PFCG_1 ). Double-click the PFCG_1 interface. On the right, a new detail with the recording details appears. Now you have to look for your input a bit. For example, use the role name entered on the PFCG entry screen (field name 'AGR_NAME_NEW'). Now comes an important step: Replace the values you entered during the recording with a placeholder, a so-called input parameter. To do this, go to the VALIN line and type any parameter name, such as ROLLENNAME, instead of the role name you entered. Click Enter and you will be asked what type of parameter it is. Specify Import and confirm with Yes.

If you want to know more about SAP authorizations, visit the website www.sap-corner.de.

Authorizations are the main controlling instrument for mapping risk management and compliance. They are used to control all processes in the systems. For the most part, separation of functions is implemented exclusively with authorizations. Therefore, not only the one-time setup of authorizations is relevant, but also the continuous monitoring and control of the authorization assignment. Various tools are available on the market for this purpose. A re-certification process that involves the departments and optimizes the revalidation of authorizations is helpful.

"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.

Other administrative authorizations can also be described.

To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.

However, they will lead to greater transparency and security.
SAP BASIS
Zurück zum Seiteninhalt