SAP Authorizations Permissions with status - SAP Basis

Direkt zum Seiteninhalt
Permissions with status
Maintenance Status
Excel-based tools that do not use the PFCG transaction in the background, like eCATT, function almost exclusively on the one-way principle: Simultaneous maintenance of roles in the PFCG transaction is no longer possible, and changes there are overwritten by the tool. This means that all permission administrators must work exclusively with the new solution.

Do you also work in a complex system landscape where roles are decentralised? Then, inconsistencies can occur by transporting profiles from different systems to a target system. We'll show you how to prevent that. In the case of decentralised maintenance of eligibility roles, i.e. maintenance of roles in different systems or clients, there is a risk that the number sequences for the generation of eligibility profiles overlap. You can then generate profiles with the same name for different roles in different clients. As soon as you transport these eponymous permission profiles into a common target system, the profile will be overwritten by the newly imported profile and inconsistencies will arise. As a result, you may, for example, assign an ERP Permissions Role an SCM permission profile. This may result in a user assigned the ERP role not obtaining the required permissions or even too many permissions. You also have a problem if you want to use the permission profile to determine the source system and the client in which this profile was generated. This is not possible if the first and third characters of the SAP System ID (SID) and the number sequence for generating the permission profile match.
Custom requirements
Additional checks should be performed on document transactions in specific processes. This may be necessary, for example, when booking via interfaces in customer-owned processes, if the booking is to be possible only under certain conditions or on certain accounts.

You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.

You should then enable the latest version of the hash algorithms by setting the login/password_downwards_compatibility profile parameter to 0. This is required because SAP systems maintain backward compatibility by default. This means that, depending on your base release, either the new hash algorithms will not be used when storing passwords, or additional outdated hash values of passwords will be stored. You should then check to see if there are any old hash values for passwords in your system and delete them if necessary. Use the report CLEANUP_PASSWORD_HASH_VALUES.

Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.

For details on the relevant support packages, see SAP Note 1891583.

So much information... how can you keep it so that you can find it again when you need it? Scribble Papers is a "note box" that makes this very easy.

The SAP authorization concept ensures that no unauthorized access can be made to transactions, programs and services in SAP systems.
SAP BASIS
Zurück zum Seiteninhalt