SAP Authorizations Extend permission checks for documents in FI - SAP Basis

Direkt zum Seiteninhalt
Extend permission checks for documents in FI
Add External Services from SAP CRM to the User Menu
If a user is assigned SAP_ALL, he has all permissions in an ABAP system. Therefore, particular care should be taken in the dedicated award of this entitlement. SAP_ALL can be generated automatically when you transport authorization objects. The SAP_ALL_GENERATION parameter must be maintained in the PRGN_CUST table.

In the SAP standard, there is no universally applicable way to automate the mass maintenance of role derivations. We therefore present three possible approaches: 1) Approach to custom development 2) Automated mass maintenance using the Business Role Management (BRM) component of SAP Access Control 3) Use of a pilot note that allows a report for mass update of organisational values in rolls (currently available to selected customers).
Create permissions for customising
TMSADM: The user TMSADM serves the communication between SAP systems in the transport management system and is automatically created in the client 000 when they are configured. TMSADM only has the permissions to access the common transport directory, view in the change and transport management system, and the necessary RFC permissions. Safeguard measures: Change the user's passwords in each client. There is the report TMS_UPDATE_PWD_OF_TMSADM, which you have to start in the client 000. This is only possible if you have administrator privileges on all systems in the landscape and the password rules of the systems are compatible. After the report has been successfully passed, all TMSADM users of the landscape in the client 000 and their destinations have the same new password.

You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.

Define critical permission combinations that cannot be assigned in the monitored systems. A whitelist allows you to specify which users (such as emergency users) you want to exclude from the evaluation. Identify vulnerabilities in the configuration of your RFC interfaces, i.e. RFC connections, where users with extensive permissions (e.g., the SAP_ALL profile) are registered. These RFC connections can be used for the so-called RFC-Hopping, where access to an SAP system is made via such an extensively authorised RFC connection.

The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".

Document display (transaction FB03): The document display displays only those document lines for which the user has display permissions or where the Profit Centre field is blank (initial).

The freeware Scribble Papers is a "note box" in which all kinds of data can be stored. It takes in typed texts as well as graphics and entire documents. The data is then organised in folders and pages.

Automated processes can save a lot of time and money.
SAP BASIS
Zurück zum Seiteninhalt