Analyzing the quality of the authorization concept - Part 1
Context-dependent authorizations
In addition, critical commands should be prohibited from the outset. Examples are EXEC SQL, which allows direct access to database tables bypassing certain security mechanisms, and CLIENT SPECIFIED, which allows access to data in other clients.
You must enable a role that you have created as a Design-Time object in the Design Time Repository before it can be associated with a user. To do this, use Project Explorer to select the role you want to enable and select Team > Activate from the shortcut menu. This will create a runtime object of this selected SAP HANA role. This object is also understood as a catalogue object and is incorporated in the Roles branch in the corresponding SAP HANA system.
Set up login locks securely
If the authorization objects also require permission fields, you can create them in the SU20 transaction. When creating a authorization object in the SU21 transaction, you first set a name and description for the authorization object, and then assign it to an object class. Then assign the necessary permission fields. If any of these fields are ACTVT, you can select all of the activities to be checked by clicking the Activities button. The navigation behaviour has been improved here a lot.
However, the authorization trace is not active by default, but must be explicitly activated via the profile parameter "auth/authorization_trace". In transaction RZ11 you can easily and quickly check if the parameter is already set. The profile parameter is set in transaction RZ10. By default, the profile parameter is active in SAP systems (profile parameter transport/systemtype = SAP) and inactive in customer systems (profile parameter transport/systemtype = CUSTOMER).
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
So it is better to let the user himself display the authorization error via the menu.
Here it is possible to set individual filters for the checks.