SAP Authorizations Encrypt e-mails - SAP Basis

Direkt zum Seiteninhalt
Encrypt e-mails
Efficient SAP rollout through central, tool-supported management
We advise you not to use the self-set password with a self-service as a generated password is more secure. The password is generated depending on the password rules; This is done by first evaluating the settings in the security policy assigned to the user. If no security policy has been assigned to the user, the system will consider the password rules in the profile parameters and in the customising table PRNG_CUST. In order for the associated security policy to be considered, you may need to include the correction provided with SAP Note 1890833. Remember that the BAPI_USER_CHANGE function block does not automatically unlock the user. In the event of a lock-out due to incorrect logins, you still have to unlock the user using the BAPI_USER_UNLOCK.

Now, if a user attempts to execute a report (for example, by using the KE30 transaction), the user's permissions for that authorization object are checked. Therefore, you must adjust your permission roles accordingly. If the user does not have permission to access the object, his request is rejected. If it has a corresponding permission, the display will be restricted to the permitted area. Access is still allowed for all characteristics or value fields that are not defined as fields of the authorization object.
Configure Security Audit Log
The first two problems can be solved by inserting the correction from SAP Note 1614407. The profile data will not be added to the bill of materials at the time of the roll recording but only when the transport order is released. This ensures consistency between the role's permission data and its profile data. The shared transport job also contains the complete history of changes to the profiles and permissions, so that obsolete data can also be deleted in the target systems.

At you will also find a lot of useful information on the subject of SAP authorizations.

For these scenarios, there are several ways to determine which systems and clients to display to the user in the self-service selection. We therefore describe a possibility that you can use in all scenarios. To do this, use the BAPI BAPI_USER_GET_DETAIL, which you must call for the SAP User ID on all relevant systems. Check the entry for the RETURN table parameter first. If the entry is empty, the user is present in the SAPS system. Any error messages during the call are displayed in this parameter (e.g. if the user is not present). If the PROFILES or ACTIVITYGROUPS table parameters have entries, permissions in this system are assigned to the user. In addition, you can use the REF_USER export parameter to identify a reference user that is associated with it. However, you must also check that it has permissions. You can also determine if a lock exists when you call the BAPI BAPI_USER_GET_DETAIL. To do this, use the ISLOCKED export parameter, which returns a four-character combination of the L (locked) and U (not locked) characters.

For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.

You can select these selection criteria together or separately.

So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.

Depending on the configuration of root data and processes, different permission checks can be relevant, so that it makes sense to adjust the proposed values.
Zurück zum Seiteninhalt