SAP Authorizations What to do when the auditor comes - Part 2: Authorizations and parameters - SAP Basis

Direkt zum Seiteninhalt
What to do when the auditor comes - Part 2: Authorizations and parameters
Customise Permissions After Upgrade
Likewise, in addition to a statutory publication of the balance sheet and P&L (profit and loss) statement, internal evaluations can also be created. SAP FI has direct interfaces to other modules, such as HR or SD. For the Internet release of reports, it is necessary that an authorization group has been maintained for the respective report.

Before you can start upgrading the suggestion values and roles, you need to consider a few things. SAP Note 1539556 lists all questions and answers about the administration of proposed values. Already at the start of the transaction SU25 you will be alerted in a pop-up window to the SAP notice 440231 (upgrade preparation for the profile generator). This note provides information on recommended revisions for certain SAP base versions and recommendations for additional guidance, which are listed in the Annexe.
Dissatisfaction and unclear needs in the process
The path with the associated permission group DEVL contains the local temporary files of the ABAP Frontend Editor of the ABAP development environment (transactions SE38, SE80, SE24, etc.). The two paths with the ADMN permission group show how logically related paths can be grouped into a S_PATH permission check. The two entries with the FILE permission group show how paths for Windows can be completed in systems with application servers of different operating systems. The core.sem and coreinfo entries are required to write run-time errors in the SNAP snapshot table. The dev_ and gw_ entries allow you to view files from the developer trace and Gateway Log in the ST11 transaction. If the suggestion in the first entry of the table is too restrictive, you can choose the alternative in the following table. This entry only forces a permission check on S_PATH and the ALL permission group; You should, however, only grant such permission very restrictively.

If you want to know more about SAP authorizations, visit the website

The S_RFCACL authorization object is removed from the SAP_ALL profile by inserting SAP Note 1416085. This notice is included in all newer support packages for the base component; This affects all systems down to base release 4.6C. The reason for this change is that the S_RFCACL authorization object, and especially the expression "total permission" (*), is classified as particularly critical for its fields RFC_SYSID, RFC_CLIENT and RFC_USER. These fields define from which systems and clients or for which user IDs applications should be allowed on the target system. Thus, the overall authorisation for these fields allows the login from any system and client or for any user and thus creates significant security risks.

If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.

The assumption that you "sometimes" separate all the authorization objects that contain an organisational level is simple, but not useful.

To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.

In addition, executable transactions may also result from the assignment of a reference user; the reference user's executable transactions are also taken into account.
Zurück zum Seiteninhalt