SAP Authorizations Limitations of authorization tools - SAP Basis

Direkt zum Seiteninhalt
Limitations of authorization tools
Authorization concepts - advantages and architecture
You can also remove customer-specific organisational levels and convert them to a simple permission field. The report PFCG_ORGFIELD_DELETE serves for this purpose. It removes the permission field from the USORG table and changes the permission proposal values to that field. Finally, it goes through all the rolls that contain a shape to the field. However, it does not restore the old location of the field, because summarised values will no longer be separated when the field is elevated to the organisational level. Instead, the aggregated values are entered separately in each field. The PFCG_ORGFIELD_DELETE report also provides a value aid that shows only the customer's organisational levels. You can also use this value aid to determine all customer-specific organisational levels.

Insert SAP Notes 1656965 and 1793961 into your system. With these hints, the report RSUSR_LOCK_USERS is delivered or extended. This report supports automatic selection and blocking of inactive users. To do this, you have to select the criteria in the selection screen of the RSUSR_LOCK_USERS report, according to which you want to lock or invalidate users. You can determine the choice of users by using various criteria. It is recommended to take into account the period since the last login in the Days since last login field and the password status in the Days since password change field. You have the option to check the result of the selection and view the users found. To do this, select the Test of Selection action in the Select Action pane. You can also choose between the User Lock-outs (Local Lock-outs) and User Unlock (Local Lock-outs) actions in this area. You can set the end of a user's validity by clicking the corresponding options for "today" or "yesterday". Note that you can only set the validity for current users.
Equal permissions
Have you ever wondered who has critical permissions in your system? Have you lacked the tool and approach to identify these users? The user system in an SAP system is always connected to a permission assignment. Over the life cycle of a user in the SAPS system, more and more permissions are accumulated if they are not withdrawn once they are no longer needed. This accumulation is bound to result in users being able to perform more actions than you would like as the permission administrator. To avoid this, we want to give you a suitable tool.

The website www.sap-corner.de offers a lot of useful information about SAP authorizations.

To maintain open permission fields in roles, you need information from the Permissions System Trace. But all transferred manually? Not with this new feature! If you have previously created PFCG roles, you must maintain all open permission fields manually. The information on which values can be entered can be read from the Permissions system trace and maintained manually in the PFCG role. However, this can be very complex, because a function that takes these values into the PFCG role has been missing.

However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".

Single sign-on (SSO): This solution is useful if you have not yet used SSO for your SAPS systems or if not all SAP systems are integrated into the SSO solution.

To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.

By the way, did you know that the auth/tcodes_not_checked profile parameter enables you to disable the transaction startup permissions for the SU53 and SU56 transactions? To do this, enter the value SU53, SU56, or SU53 SU56 for the profile parameter.
SAP BASIS
Zurück zum Seiteninhalt