SAP Authorizations Query Data from Active Directory - SAP Basis

Direkt zum Seiteninhalt
Query Data from Active Directory
Lack of know-how
We therefore recommend that you schedule a background job on the PFUD transaction, which performs a regular user comparison (see Trick 17, "Schedule PFUD transaction on a regular basis"). By the way, did you know that the auth/tcodes_not_checked profile parameter enables you to disable the transaction startup permissions for the SU53 and SU56 transactions? To do this, enter the value SU53, SU56, or SU53 SU56 for the profile parameter. This means that the end user no longer needs the permissions to run these transaction codes from the S_TCODE authorization object.

Determine if all recurring external services corresponding to area start pages and logical links have been removed from the GENERIC_OP_LINKS folder. Create a separate PFCG role for this folder. This PFCG role could contain all the basic permissions a user must have in SAP CRM. This includes the permission for the generic OP links. You can transfer this folder to a separate PFCG role by locally specifying the PFCG role that contains the GENERIC_OP_LINKS folder in the new PFCG role under Menu > Other Role >. Now maintain the PFCG role so that only the UIU_COMP authorization object remains active. Disable any other visible authorization objects. These are the authorization objects that allow access to data. You can maintain these authorization objects in the PFCG role, which describes the user's workplace. In the PFCG role that describes the desktop, you can now delete the GENERIC_OP_LINKS folder. If you remix the PFCG role, you will find that many of the unnecessary permissions objects have disappeared.
Eligibility proposal values
If you want to cancel, share, or reset other users' jobs to scheduled status, you must have permission for the S_BTCH_ADM object with a value of Y. Alternatively, you can also grant the JOBACTION = MODI and JOBGROUP = permission for the S_BTCH_JOB object. The MODI promotion was introduced with SAP NetWeaver AS ABAP 7.00 or can be recorded via SAP Note 1623250. The following illustration shows an example of how the JOBACTION = MODI privilege is expressed for the jobs of the users listed under JOBGROUP.

The website www.sap-corner.de offers a lot of useful information about SAP authorizations.

If a user does not have a print permission for an output device (S_SPO_DEV privilege object), an instant print flag may be rescinded, which means that a spool job created during the job step would not print immediately. If archive parameters are passed when scheduling a step, a check is performed on the object S_WFAR_PRI. If the Step user does not have a matching permission, an error message is displayed.

For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.

There are several security features in the SAP standard, such as user management, authentication and encryption capabilities, web service security features, and the various authorisation concepts.

To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.

Read Tip 41, "Add external services from SAP CRM to the proposal values", for dealing with external services.
SAP BASIS
Zurück zum Seiteninhalt