SAP Authorizations Role Management - SAP Basis

Direkt zum Seiteninhalt
Role Management
Compensating measures for segregation of duties conflicts
The role concept provides that each user can only process the tasks to which he is authorized. It is developed across departments and must protect sensitive data from unauthorized access. A clear role concept enables a modular structure of authorizations without having to create separate roles for each user.

The assignment of combinations of critical authorizations (e.g., posting an invoice and starting a payment run), commonly known as "segregation of duties conflicts," must also be reviewed and, if necessary, clarified with those responsible in the business departments as to why these exist in the system. If compensating controls have been implemented for this purpose, it is helpful if the IT department also knows about this so that it can name these controls to the IT auditor. The IT auditor can then pass this information on to his or her auditor colleagues.
Query Data from a Local Table
The SAP Note 1903323 provides a solution. The functionality is only provided via support packages for NetWeaver releases 7.31 and 7.40. This fix extends the naming conventions so that namespaces in the /XYZ/ format can be used up to a maximum of eight characters. In the development and creation of authorization objects, some functionalities of the SAP hint are extremely helpful, which we present in this tip.

If you want to know more about SAP authorizations, visit the website www.sap-corner.de.

A manual comparison of role texts in an SAP system landscape with ZBV is very annoying. You can also automate the sync. I'm sure you know this. When creating or maintaining users in the Central User Administration (ZBV), you must manually start the text matching each time before assigning PFCG roles to provide you with the latest PFCG role definitions. Managing a large system landscape with many systems in your ZBV - including development, test and production systems - the text comparison can take a while.

During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.

In the program, the appropriate syntax is used to determine whether the user has sufficient authorization for a particular activity by comparing the field values specified in the program for the authorization object with the values contained in the authorizations of the user master record.

To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.

This is a short-term trace that can only be used as a permission trace on the current application server and clients.
SAP BASIS
Zurück zum Seiteninhalt