User & Authorization Management with SIVIS as a Service
SAP license optimization
The authorization check for the authorization objects PS_RMPSORG and PS_RMPSOEH runs as follows following a user entry: The system determines the organizational unit to which the user is assigned. Starting from this organizational unit, the system creates a list of all organizational units that are superior to the organizational unit determined in the first step in the hierarchy. The system determines the set (M1) of all organizational objects that are assigned to these organizational units. The system determines the organizational unit to which the object to be processed is assigned (corresponds to the lead organizational unit in the attributes of the object to be processed). Starting from this lead organizational unit, the system creates a list of all organizational units that are superior to the determined organizational unit within the hierarchy. The system determines the set (M2) of all organizational objects assigned to these organizational units. The system forms the intersection (from M1 and M2) of the matching organizational objects of the user and the object to be processed. The system determines the organizational levels that match for the user and the object being processed. Once a matching organizational level is found, the system performs the authorization check for the other fields of the authorization object (e.g., type of object or activity); if the system cannot determine a common organizational level, processing is rejected. If the user is allowed to perform the requested activity, processing is allowed; otherwise, the system rejects processing.
Most client programmes are additions to the standard functionalities or variations of the same. Therefore, when you create your own programmes, you can follow the eligibility checks of the standard programmes or reuse the permissions checks used there.
Use AGS Security Services
Roles can be assigned to users directly through user management in the SU01 transaction, role maintenance in the PFCG transaction, or mass change of users in the SU10 transaction. However, if the employee changes his or her position in the company, the old roles must be removed and new roles assigned according to the new activities. Because PFCG roles are created to represent job descriptions, you can use organisational management to assign roles to users based on the post, job, etc.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
In the SAP standard, there is no universally applicable way to automate the mass maintenance of role derivations. We therefore present three possible approaches: 1) Approach to custom development 2) Automated mass maintenance using the Business Role Management (BRM) component of SAP Access Control 3) Use of a pilot note that allows a report for mass update of organisational values in rolls (currently available to selected customers).
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
In addition to other useful functions, it also offers the automation of mass maintenance of role withdrawals.
To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.
For result and market segment accounting, you can define planning authorization objects, the information system, and item-based reports of the information system.