SAP Authorizations Add New Organisation Levels - SAP Admin

Direkt zum Seiteninhalt
Add New Organisation Levels
Define S_RFC permissions using usage data
Programme the necessary checks (for example, for specific data constellations or permissions) in this new feature block. If the tests are not successful, do not show the location to the user, just do not return the export structure. The later display of the data is reduced exactly by this record.

You would like to revise your authorisation concept and tailor SAP roles only to the productive processes. We show you how to use the statistical usage data from the Workload Monitor for the SAP role definition. One of the biggest effort drivers in redesigning SAP role concepts is the definition of transactional expression of SAP roles. By using the statistical usage data from the workload monitor, you can avoid costly coordination with process managers in the sense of a Green Field Approach. In this way, you can tailor your SAP role concepts to the content of the usage behaviour. The only requirement is that the data be available for a representative period. This is two months in the SAP standard; You can also extend this time period. Below we describe how you can use the statistical usage data from the Workload Monitor for the SAP role definition.
SAP Security Concepts
Create a message to be displayed to the user when permissions checks fail. The tests in this User-Exit are relatively free. This allows you to read table entries, store data from the ABAP application's memory, or read data that is already there. However, you are limited by the interface parameters of the application. In our example, these are the BKPF and BSEG structures and the system variables. If the information from the interface parameters is not sufficient for the test, you can use your programming skills and knowledge about the interdependencies of substitution and validation in finance to find additional data. The following coding allows you to identify the selected offset document entries that you can find in the POSTAB table (with the RFOPS structure) in the SAPMF05A programme. This way you can find many additional data. It is important that the supporting programme processes the User-Exits.

If you do not encrypt communication between the client and the application servers, it is surprisingly easy for a third party to catch the username and password. Therefore, make sure you encrypt this interface! There is often uncertainty as to whether the password in SAP systems is encrypted by default and whether there is encryption during communication between the client and application servers by default. This ignorance can lead to fatal security vulnerabilities in your system landscape. We would therefore like to explain at this point how you can secure the passwords in your system and protect yourself against a pick-up of the passwords during transmission.

Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.

SAP Basis refers to the administration of SAP system that includes activities like installation and configuration, load balancing, and performance of SAP applications running on Java stack and SAP ABAP. This includes the maintenance of different services related to database, operating system, application and web servers in SAP system landscape and stopping and starting the system. Here you can find some useful information about SAP Basis: www.sap-corner.de.


You can create a new project or edit an existing project to create a customising role.

To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.


Together with SAP Basis, the mass maintenance of authorization led values (PFCGMASSVAL) or the mass download of authorization roles (PFCG_MASS_DOWNLOAD) can then be tackled together.
Zurück zum Seiteninhalt