SAP Authorizations Risk: historically grown authorizations - SAP Basis

Direkt zum Seiteninhalt
Risk: historically grown authorizations
Automatically pre-document user master data
There is a special feature for roles if the corresponding SAP system is based on S/4HANA. While under SAP ERP only roles with authorizations for the GUI system were relevant, corresponding business roles are required for the applications under FIORI. In addition to the roles in which authorization objects and authorization values are entered, so-called business roles are also required.

To read or modify data, a user must have both the privilege of performing a specific action and the privilege of accessing the object. The following privileges are distinguished in SAP HANA.
Reset Manually Maintained Organisation Levels to Roles
You can do without taking obsolete profile data into account by adding the correction from SAP Note 1819126 and then setting the REC_OBSOLETE_AUTHS customising switch to NO in the table PRGN_CUST. This correction is also important because it fixes runtime problems when releasing role transports, resulting from the correction in SAP Note 1614407. As a general rule, you should always run bulk transport sharing in the background.

You can also find some useful tips from practice on the subject of SAP authorizations on the page

The view of the executable transactions may differ from the transactions for which the user has permissions, because the RSUSR010 report displays only the transactions that are actually executable. Not only does the transaction need to be started by the S_TCODE authorization object, but the following conditions must also be met: For certain transactions, there are additional permission checks that are performed before the transaction starts. These eligibility objects are then additionally entered in the transaction SE93 (Table TSTCA). For example, queries against the P_TCODE, Q_TCODE, or S_TABU_DIS authorization objects. The transaction code must be valid (i.e. entered in the TSTC table) and must not be locked by the system administrator (in the SM01 transaction).

Authorizations can also be assigned via "Shortcut for SAP systems".

A careless handling of the permissions with sensitive employee data can go quite nicely in the pants.

The freeware Scribble Papers is a "note box" in which all kinds of data can be stored. It takes in typed texts as well as graphics and entire documents. The data is then organised in folders and pages.

In case of missing authorizations, SAP Basis also helps with an authorization trace in addition to the well-known SU53 for a more detailed analysis of authorization objects.
Zurück zum Seiteninhalt