SAP Authorizations Organisationally restrict table editing permissions - SAP Basis

Direkt zum Seiteninhalt
Organisationally restrict table editing permissions
A concept for SAP authorizations prevents system errors and DSGVO violations
With Managed Services, you receive professional management and improvement of your SAP authorizations. In doing so, we analyze your existing workflows and processes and work out optimization potentials. The implementation of the potentials takes place within a few months. As a basis for central and efficient administration, we implement an underlying tool, working continuously and directly with your SAP key users.

As long as the corresponding tests in both the development and the quality system are not completed, the SAP_NEW profile will be assigned to the testers in addition to their previous roles. This ensures that the transactions can be traversed without errors of authorisation. Parallel enabled permissions (ST01 or STAUTHTRACE transactions) can be used to identify the required permissions and assign them to the user through the appropriate roles.
Permissions and User Root Sets Evaluations
The test for the assignment of the SAP_ALL profile is carried out in the SOS differently than in the EWA: If a user is found, assigned to SAP_ALL, and you have not entered it in the corresponding whitelist, it will still be hidden in the subsequent permission checks. Identified users will be output either through a complete list or through examples of specific users. In both cases, you can download the full list in the SAP Solution Manager's ST14 transaction. You can use the Check ID to map user lists to the permission checks. However, you should note that these lists do not contain the evaluations of the whitelists.

At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.

Once you have edited the role menu, you can customise the actual permissions in the PFCG role. To do this, click the Permissions tab. Depending on the quantity of external services from the Role menu, the authorization objects will appear. The authorization objects are loaded into the PFCG role, depending on their suggestion values, which must be maintained for each external service in the USOBT_C and USOBX_C tables. You can edit these suggested values in the SU24 transaction. Make sure that external services in the Customer Name Room also have the names of external services and their suggestion values in the tables maintained (see Tip 41, "Add external services from SAP CRM to the proposal values"). Visibility and access to external services is guaranteed by the UIU_COMP authorization object. This authorization object consists of three permission fields: COMP_NAME (name of a component), COMP_WIN (component window name), COMP_PLUG (inbound plug).

With "Shortcut for SAP systems" you can automate the assignment of roles after a go-live.

However, these catalogs must first be filled with corresponding tiles in the so-called "Launchpad Designer".

To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.

A functional specification must be created for all customer-specific functionalities.
SAP BASIS
Zurück zum Seiteninhalt