SAP Authorizations Reference User - SAP Admin

Direkt zum Seiteninhalt
Reference User
Deletion of change documents
In order to provide user authorisation support, you often need their information. However, there is also the possibility to view missing permissions centrally for all users. If a user has a permission issue, a ticket is usually displayed at support. However, it is difficult for a support worker to understand permissions errors because they have different permissions and are often missing detailed information about the application where the permission error occurred. In practice, therefore, support staff often help themselves by asking the user to send a screenshot of the transaction SU53. Because this transaction shows the last failed permission check. In many cases, however, the information displayed there is not helpful to the permission administrator. You may have seen that a screenshot from the SU53 transaction shows a missing permission for typical base authorization objects, such as S_ADMI_FCD, S_CTS_ADMI, or S_TRANSLAT, but you know that your check has nothing to do with the actual permissions problem in the application. So you need the opportunity to see for yourself.

In the SAP system, passwords are locked when the maximum number of allowed password login errors is reached. This counter is reset with a password each time you successfully log in. In addition, an initial password can be locked when its validity has expired. Both the validity of the initial password and the maximum value for password login errors are set using profile parameters. For details, see Tip 4, "Set password parameters and valid passwords characters". A password lock only prevents a user from logging in via his password, because the number of errors is only evaluated if the login is done by password. If a login is now made via other authentication methods (such as SSO), these are not affected by the password lock. This also applies to internal expiration procedures (such as background jobs) because you do not need to register a password. This prevents, for example, denial-of-service attacks, which first cause a password to be locked in order to block internal processes. Eine Ausnahme von dieser Regel gibt es allerdings: Auch wenn andere Authentifizierungsverfahren genutzt werden, prüft das System, ob der Benutzer dazu in der Lage ist, sich mit einem Passwort anzumelden. Wenn dies der Fall ist und das Passwort gerade geändert werden muss, wird diese Änderung vom Benutzer abgefragt. Diese Abfrage können Sie aber auch mithilfe des Profilparameters login/password_change_for_SSO ausschalten.
Maintaining Authorization Objects (Transaction SU21)
When you start a report with the ABAP statement SUBMIT REPORT, the system checks the authorization object S_PROGRAM, provided that the program has been assigned to a program authorization group in transaction SE38. If this assignment is not sufficient for your system environment, you can define your own group assignment with the report RSCSAUTH. You must check this assignment after installing Support Packages or upgrades and reassign the reports if necessary.

Authorization: An authorization allows a user to perform a specific activity in the SAP system based on a set of authorization object field values. Authorizations allow users to perform actions within the system.

"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.

On www.sap-corner.de you will also find useful information about SAP basis.


In this tip, we will show you how to use PFCG roles to control the design of the NWBC user interface.

The freeware Scribble Papers is a "note box" in which all kinds of data can be stored. It takes in typed texts as well as graphics and entire documents. The data is then organised in folders and pages.


Confidential information from your SAP system can also be sent by email.
Zurück zum Seiteninhalt