SAP Authorizations Note the effect of user types on password rules - SAP Admin

Direkt zum Seiteninhalt
Note the effect of user types on password rules
Check and refresh the permission buffer
In principle, the SAP_NEW permission should not be granted in the production system. The Profiles tab displays the generated profiles in the user master record that are associated with a specific user. Here you can also assign manually created permission profiles from the transaction SU02 - even without direct role mapping. In principle, the recommendation is to use the profile generator (transaction PFCG) to generate authorisation profiles automatically. Special caution is taken when you enter generated permission profiles directly on the Profiles tab, as these assignments will be deleted by matching user assignments with the transaction PFUD if no entry is on the Roles tab for the assignment. You have probably assigned SAP_ALL and SAP_NEW to users for whom there should be no restrictions in the SAP system. But what are these two profiles different from each other and why are they necessary?

For these scenarios, there are several ways to determine which systems and clients to display to the user in the self-service selection. We therefore describe a possibility that you can use in all scenarios. To do this, use the BAPI BAPI_USER_GET_DETAIL, which you must call for the SAP User ID on all relevant systems. Check the entry for the RETURN table parameter first. If the entry is empty, the user is present in the SAPS system. Any error messages during the call are displayed in this parameter (e.g. if the user is not present). If the PROFILES or ACTIVITYGROUPS table parameters have entries, permissions in this system are assigned to the user. In addition, you can use the REF_USER export parameter to identify a reference user that is associated with it. However, you must also check that it has permissions. You can also determine if a lock exists when you call the BAPI BAPI_USER_GET_DETAIL. To do this, use the ISLOCKED export parameter, which returns a four-character combination of the L (locked) and U (not locked) characters.
ICS for business processes in SAP systems
If an authorization system grows too much over the years and there is no structured approach, the result is uncontrolled growth. If companies wait too long with the cleanup, a complete rebuild of the authorization structure or a new concept may make sense. This must be clarified quickly in the event of a cleanup.

You noticed that the maintenance status of the permissions in PFCG roles changes when you maintain, change, or manually add authorization objects? Find out what the permission status is. When deleting or adding transactions in the role menu of PFCG roles, the respective permissions in the PFCG role have the Maintenance Status Standard. Add or change the permissions, the Maintenance Status changes to either Care or Changed. You may have seen the Maintenance Status Manual before. What are the background to this maintenance status and what do they actually say?

Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.

Understanding the structure and functioning of the system is especially important for IT administration. It is not for nothing that "SAP Basis Administrator" is a separate professional field. On the page www.sap-corner.de you will find useful information on this topic.


The RFC interfaces and associated system users often have too strong authorizations and can quickly be misused by unauthorized persons to view sensitive company data.

A note box in which data of all kinds can be quickly filed and retrieved. This is what Scribble Papers promises. At first, the program looks very spartan. But once a small structure is in place, you realise the great flexibility of this little helper.


This means that the end user no longer needs the permissions to run these transaction codes from the S_TCODE authorization object.
Zurück zum Seiteninhalt