SAP Authorizations Efficient SAP rollout through central, tool-supported management - SAP Admin

Direkt zum Seiteninhalt
Efficient SAP rollout through central, tool-supported management
Application Permissions
In line with the maintenance of the SAP transaction permissions proposal values using the SU22 and SU24 transactions, it is advisable to maintain proposed values for web applications. In order for a user to be assigned a suitable rating for an operational feature set in the Web application, the software developers in the transaction SU22 must connect all the authorization objects required for this application to the corresponding Web Dynpro application, i.e. not just S_START. The source of the required authorization objects is usually a developer or permission trace.

Now, if you want to use the debugger, you can set a Session Breakpoint directly from the source code via the button. Once you call the application and reach the relevant point in your code, the debugger starts and you can move through the programme step by step. Make sure to set external breakpoints via the button if you are calling your application via the browser rather than via SAP GUI.
General considerations
Different organisational fields are used in each module. Since there are many interfaces between the modules, the main organisational fields of the modules must be linked. However, there are also organisational fields that are only relevant for the respective module. All object fields used as organisational units are listed in the USORG table. You can call this table through the SE16 transaction. Alternatively, in the selection screen of the AGR_1252 table, the value help of the VARBL field also shows the corresponding name for the respective organisation fields.

Eligibility objects that were visible in the permission trace are quickly inserted in rolls. But are they really necessary? Are these possibly even critical permissions? A review of the Permissions Concept can reveal that critical permissions are in your end-user roles. We would like to give you some examples of critical permissions in this tip. It is helpful to know which authorization objects are covered by the critical permissions. They must also ask themselves whether the granting of these allowances entails risks.

Authorizations can also be assigned via "Shortcut for SAP systems".

If you want to get more information about SAP basis, visit the website www.sap-corner.de.


For example, if your administrator should not be able to access all tables associated with the SC table permission group, but only the USR02 table, do not grant permissions to the SC table permission group through S_TABU_DIS, but the S_TABU_NAM authorization object will be shaped as follows: ACTVT: 03 / TABLE: USR02.

So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.


In addition to the settings described in Tip 26, you should also adjust the retention time for the RFC Client Profile (WO), RFC Client Destination Profile (WP), RFC Server Profile (WQ), and RFC Server Destination Profile (WR) task types using the SWNCCOLLPARREO Care View.
Zurück zum Seiteninhalt