SAP Authorizations Consolidate user-level role mapping - SAP Admin

Direkt zum Seiteninhalt
Consolidate user-level role mapping
Use SU22 and SU24 transactions correctly
One way of gaining direct access to downstream systems from the development system and possibly performing unauthorized activities there is to use incorrectly configured interfaces. In principle, interfaces within a transport landscape should be avoided with regard to the criticality of the systems "uphill", i.e. from an "unsafe" to a "safe" system (e.g. E system to Q or P system). However, this cannot always be implemented; for example, such interfaces are needed within the transportation system. Without going too deeply into the subject, however, critical interfaces can be characterized by the following properties. Critical interfaces refer to a critical system and a critical client, contain an interface user with critical authorizations in the target client, contain its deposited password.

Structural authorizations work with SAP HCM Organizational Management and define who can be seen, but not what can be seen. This is done based on evaluation paths in the org tree. Structural authorizations should therefore only be used together with general authorizations. Just like the general authorizations in SAP ECC HR, they enable regulated access to data in time-dependent structures. An authorization profile is used to determine the authorization. In addition, it is defined how the search is carried out on the org tree.
Check Profit Centre Permissions in FI
You have developed applications yourself and would like to maintain suggestion values for them? The easiest way to do this is with the help of the permission trace. Permission checks are also performed on self-developed applications. These applications must therefore be included in the PFCG rolls. If they are maintained in a role menu, you will notice that in addition to the start permissions (such as S_TCODE), no other authorization objects are added to the PFCG role. The reason for this is that even for customer-specific applications suggestion values must be maintained to ensure that the PFCG role care runs according to the rules and to facilitate the care for you. Up to now, the values of customer-owned applications had to be either manually maintained in the PFCG role, or the suggested values maintenance in the transaction SU24 was performed manually.

A mass rolling out of rolls is a very useful thing. It is also possible to use Excel-based data - as in the case of the outlined application case with eCATT - because it is a one-time action for the roles considered and SAP standard programmes are used in the background. However, ongoing maintenance of the permissions system, with continuous changes to roles and their detail permissions, requires the mapping of much more complex operations. An exclusive control over Office programmes should be well considered. This does not mean, of course, that there are not very good partner products for the care of roles. Simply verify that SAP standard procedures are used and that authorisation is managed in accordance with SAP best practices.

Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.

The website www.sap-corner.de offers many useful information about SAP basis.


WF-BATCH is often associated with the SAP_ALL profile because the exact requirements for the permissions depend on the user's usage.

The freeware Scribble Papers puts an end to the confusing paper chaos. The tool is also suitable for storing, structuring and quickly finding text documents and text snippets of all kinds in addition to notes.


In addition, you must note that you may not execute this report on systems that are used as a user source for a Java system.
Zurück zum Seiteninhalt