Law-critical authorizations
Check current situation
Since 2001, SAP has been working with the German-speaking SAP user group (DSAG e. V.) Model rolls for tax inspectors developed and revised over the years. The role definition reflects an interpretation of the DSAG of the concept of tax-relevant data.
After these preparations, we now proceed to the expression of the User-Exit in the validation that has just been created. To do this, you copy the User-Exit definition in the created custom programme, specify a name for the User-Exit definition (e.g. UGALI) and create a new text element.
Compensating measures for segregation of duties conflicts
The goal of an authorization concept is to provide each user with the appropriate authorizations in the system individually for their tasks according to a previously defined rule. For this purpose, an authorization concept must be defined as the foundation for efficient authorization assignment. In this way, each employee is given system access through the role-specific assignment of authorizations according to his or her tasks. On the one hand, this protects sensitive information and, on the other, prevents damage caused by incorrect use of data.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
Each UI component that can be clicked corresponds to an external service that must each have permission set up. UI components also include creating or calling stored searches or navigating from one record directly to another record, such as calling an appointment directly from a business partner; This corresponds to cross-navigation. All navigation options in the form of external services are defined in the customising of the CRM business role in the form of a generic outbound plug mapping to the navigation bar. Outbound Plugs (OP) define what happens when a user leaves a view in SAP CRM. Here the customising is set for scenarios that do not necessarily fit all CRM business roles. The corresponding CRM business roles have been configured to be associated with outbound plugs that are not required for the respective CRM business role scenario. This explains the large number of external services in the role menu.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
In the only method of the BAdIs, CHANGE_ITEMS, programme the necessary checks, such as on specific data constellations or permissions.
So much information... how can you keep it so that you can find it again when you need it? Scribble Papers is a "note box" that makes this very easy.
While ST11 opens almost all files without a path (they are in the DIR_HOME directory anyway), AL11 basically uses fully specified file names with a path.