SAP Authorizations Maintain authorization objects more easily - SAP Basis

Direkt zum Seiteninhalt
Maintain authorization objects more easily
Define security policy for users
A separate programme - a separate permission. What sounds simple requires a few steps to be learned. Do you want to implement your own permission checks in your own development or extend standard applications with your own permission checks? When implementing customer-specific permissions, a lot needs to be considered. In this tip, we focus on the technical implementation of the authorisation check implementation.

A new transaction has been added to evaluate the system trace only for permission checks, which you can call STAUTHTRACE using the transaction and insert via the respective support package named in SAP Note 1603756. This is a short-term trace that can only be used as a permission trace on the current application server and clients. In the basic functions, it is identical to the system trace in transaction ST01; Unlike the system trace, however, only permission checks can be recorded and evaluated here. You can limit the recording to a specific user. You can also use the trace to search only for permission errors. The evaluation is similar to the evaluation of the system trace in the transaction ST01. In transaction STAUTHTRACE, however, you can also evaluate for specific authorization objects or for specific permission check return codes (i.e. after positive or negative permission checks). You can also filter multiple entries.
User Information System SUIM
You can also remove customer-specific organisational levels and convert them to a simple permission field. The report PFCG_ORGFIELD_DELETE serves for this purpose. It removes the permission field from the USORG table and changes the permission proposal values to that field. Finally, it goes through all the rolls that contain a shape to the field. However, it does not restore the old location of the field, because summarised values will no longer be separated when the field is elevated to the organisational level. Instead, the aggregated values are entered separately in each field. The PFCG_ORGFIELD_DELETE report also provides a value aid that shows only the customer's organisational levels. You can also use this value aid to determine all customer-specific organisational levels.

At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.

SAP authorizations are a security-critical and thus an immensely important topic in companies. They are used not only to control the access options of users in the SAP system, but also the external and internal security of company data depends directly on the authorizations set.

"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.

S_PROJECT authorization object: The S_PROJECT authorization object enables you to work with customising projects.

So much information... how can you keep it so that you can find it again when you need it? Scribble Papers is a "note box" that makes this very easy.

The actual settings can be found in the SSM_CUST, PRGN_CUST and USR_CUST tables.
SAP BASIS
Zurück zum Seiteninhalt