SAP Authorizations Restrict Application Server Login - SAP Admin

Direkt zum Seiteninhalt
Restrict Application Server Login
Extend permission checks for documents in FI
In addition to your custom authorization objects, you must also express the other relevant CO-PA authorization objects in your users' permissions. As a rule, you must limit access to the result reports of the K_KEB_REP object to the result area and the report name, and limit the functions of the information system in the K_KEB_TC object, such as executing or updating reports. You also need permissions to maintain the authorization objects in customising the result and market segment calculations. To do this, assign permissions to the K_KEPL_BER object. In the CERKRS field, define the result area for which authorization objects are created, and in the ACTVT field, define the activity, where the action 02 is Create and Modify.

You should then enable the latest version of the hash algorithms by setting the login/password_downwards_compatibility profile parameter to 0. This is required because SAP systems maintain backward compatibility by default. This means that, depending on your base release, either the new hash algorithms will not be used when storing passwords, or additional outdated hash values of passwords will be stored. You should then check to see if there are any old hash values for passwords in your system and delete them if necessary. Use the report CLEANUP_PASSWORD_HASH_VALUES.
Check for permissions on the old user group when assigning a new user group to a user
Since the role menu has been adjusted, the PFCG role must now also be adjusted. To do this, go to the Permissions tab and select the Change Permissions Data button. If you are using Expert mode, make sure that the Alten Stand default is read and match with new data. Now the new suggested values for this external service are loaded. After you have maintained the PFCG role, you can generate the profile and insert it immediately.

However, it is possible to include the same role in several tasks of different operators within each contract. This increases transparency for you, because all participants can instantly identify which users are editing the role. Before you enable the use of the SCC4 transaction setting for role maintenance, you should release existing role transports to avoid recording conflicts. As a rule, you do not choose the setting depending on your role-care processes; So you have to think very carefully about what the activation will do.

For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.

Some useful tips about SAP basis can be found on www.sap-corner.de.


With Managed Services, you receive professional management and improvement of your SAP authorizations.

A note box in which data of all kinds can be quickly filed and retrieved. This is what Scribble Papers promises. At first, the program looks very spartan. But once a small structure is in place, you realise the great flexibility of this little helper.


To implement your own permission checks, it may be helpful to see how such checks have been implemented in the SAP standard.
Zurück zum Seiteninhalt