SAP Authorizations General considerations - SAP Admin

Direkt zum Seiteninhalt
General considerations
Critical authorizations
Users' favourite lists provide valuable information about the transactions they use. With the knowledge of the favourites, you can therefore avoid gaps in your authorisation concept. In the SAP system, each user has the ability to save frequently used functions as their own favourites. In practice, we have found that this feature is very often used by users. If you create a new permission concept, it is useful to include the favourites in the viewing. Because the favourites don't just store used transactions over and over again, but also transactions that users use only occasionally. These occasional transactions could be quickly forgotten when redesigning a eligibility concept. Therefore, we always recommend that you match the transactions you have considered with the favourites stored in your system.

You can use your own authorization objects to develop permission checks to authorise your custom applications or extend default permissions. So far, the maintenance of the authorization objects has been very unmanageable. Authorization objects can be displayed and recreated in the transaction SU21. Creating authorization objects over this transaction has not been very user-friendly. If the input was not done correctly, the dialogue was sometimes not transparent and confusing for the user. The same was true for storing a authorization object. Several pop-up windows indicate further care activities. Another problem is that the proof of use of the authorization object is limited to finding implementations of the authorization object. However, authorization objects are also used in other places, such as suggestion value maintenance and permission maintenance. Another problem is the use of namespaces. For SAPartner who want to maintain their permission checks in their namespaces, the classic name rooms, starting with J, are used up.
Excursus Special feature for authorizations for FIORI Apps under S/4HANA
An essential aspect in the risk assessment of a development system is the type of data available there. Normally, at least a 3-system landscape is used (development, test and production system). One of the purposes of this is to ensure that (possibly external) developers do not have access to productive or production-related data. Since developers with the required developer authorizations have access to all data in all clients of the system concerned, there should be no production-related data in a development system. Even a division into a development and a test client (with the sensitive data) within the system does not protect against unauthorized data access for the reasons mentioned above. In the following, it is assumed that no production-related data exists on the development system. Otherwise, extended authorization checks must be carried out in the modules and access to production-related data must be approved beforehand with respect to the production system by the respective data owners. Since developers, as described, have quasi full authorization through their developer rights, revoking the authorizations listed below can raise the inhibition threshold for performing unauthorized activities, but ultimately cannot prevent them.

Communication users are also intended for use by people who log on to the SAP system from outside via RFC call. Therefore, dialogue is not possible. If the password is set by the administrator, it will be assigned Initial status. However, an RFC call does not prompt the user to change the password. It therefore often retains this status, even if the user has the possibility to change the password by calling a function block (then: Status Productive). The password rules apply to this type of user. However, this is often not noticed in practice, as password rules for initial passwords are less used.

"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.

Some useful tips about SAP basis can be found on www.sap-corner.de.


This increases transparency for you, because all participants can instantly identify which users are editing the role.

So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.


The development systems should also be considered, since here it is possible to influence the productive system via changes to be transported in the development environment and in customizing or via inadequately configured interfaces.
Zurück zum Seiteninhalt