SAP Authorizations Important components in the authorization concept - SAP Basis

Direkt zum Seiteninhalt
Important components in the authorization concept
Checking at Program Level with AUTHORITY-CHECK
Create a message to be displayed to the user when permissions checks fail. The tests in this User-Exit are relatively free. This allows you to read table entries, store data from the ABAP application's memory, or read data that is already there. However, you are limited by the interface parameters of the application. In our example, these are the BKPF and BSEG structures and the system variables. If the information from the interface parameters is not sufficient for the test, you can use your programming skills and knowledge about the interdependencies of substitution and validation in finance to find additional data. The following coding allows you to identify the selected offset document entries that you can find in the POSTAB table (with the RFOPS structure) in the SAPMF05A programme. This way you can find many additional data. It is important that the supporting programme processes the User-Exits.

A mass rolling out of rolls is a very useful thing. It is also possible to use Excel-based data - as in the case of the outlined application case with eCATT - because it is a one-time action for the roles considered and SAP standard programmes are used in the background. However, ongoing maintenance of the permissions system, with continuous changes to roles and their detail permissions, requires the mapping of much more complex operations. An exclusive control over Office programmes should be well considered. This does not mean, of course, that there are not very good partner products for the care of roles. Simply verify that SAP standard procedures are used and that authorisation is managed in accordance with SAP best practices.
Centrally review failed authorisation checks in transaction SU53
In principle, a technical 4-eyes principle must be implemented within the complete development or customizing and transport process. Without additional tools, this can only be achieved in the SAP standard by assigning appropriate authorizations within the transport landscape. Depending on the strategies used, only certain transport steps within the development system should be assigned to users. When using the SAP Solution Manager ("ChaRM") for transport control, for example, only the authorizations for releasing transport tasks should normally be assigned here. The complete processing of a transport in the development system consists of four steps: Creating and releasing a transport request (the actual transport container), creating and releasing a transport task (the authorization for individual users to attach objects to the respective transport request).

You can also find some useful tips from practice on the subject of SAP authorizations on the page

With more than 28 users, the simple Copy & Paste in the user selection no longer works. However, this does not mean that you have to care for all users individually! It is common for you to make mass changes to users in the SAP system, such as changing role assignments, locking a group of users, or having to adjust their validity dates. Unfortunately, there is no button in the start image of the transaction SU10 that allows users to be pasted from the clipboard. While Copy & Paste allows you to insert users from the clipboard, this feature is limited to the visible area. Therefore, it is not possible to add a list of more than 28 users, which can be very difficult for long lists.

For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.

You can do this by drawing on existing privileges and roles.

To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.

You have read that it is possible to perform mass activities, such as mass roll-offs, using standard means.
Zurück zum Seiteninhalt