SAP Authorizations Retain the values of the permission trace to the role menu - SAP Admin

Direkt zum Seiteninhalt
Retain the values of the permission trace to the role menu
SAP Authorizations - A Common Perspective of Developers and Consultants
In order to sustainably guarantee the security of the SAP system internally and externally, regular auditing is indispensable. Existing rule violations must be detected and corrected. In addition, it is important to document the regular operation of SAP in order to have evidence of this for external and internal requirements. Automated processes can save a lot of time and money.

Suggested values are maintained in the transaction SU24 and delivered through the transaction SU22. Read more about the differences between these two transactions. Maintaining suggestion values via the SU24 transaction is useful if you want to reflect your own requirements or if the values provided by SAP do not meet customer requirements (see Tip 37, "Making sense in maintaining suggestion values"). These proposed values form the basis for the role maintenance credentials in the PFCG transaction. As you know, the suggested values provided by SAP are in the transaction SU22, which are delivered during reinstallation or upgrades as well as in support packages or SAP hints. What is the difference between transactions and how are they used correctly?
Goal of an authorization concept
With the help of the SAP-Note 1642106 it is possible to automatically perform the text comparison from SAP NetWeaver AS ABAP 7.0. Inserting the note will automatically perform text matching for any changes to PFCG roles in the central system. We recommend that you install the support package that is appropriate for your release, which is specified in the SAP Note, because inserting the hint requires a lot of manual work. With the help of the SUSR_ZBV_GET_RECEIVER_PROFILES report, you can turn on the new functionality in all subsidiary systems where the correction information has also been recorded. If you run the report in the central system with the default selection, all subsidiary systems are included. You can check whether the function is present in the daughter systems in the report log.

No more users can be created, maintained or deleted without the assignment of a valid user group. If a user group is not assigned when a user is created, the user is automatically assigned the default user group. Before you set the USER_GRP_REQUIRED switch, a user group must have been assigned to each existing user and the administrators must have the permissions for the default user group. When creating a new user, the default user group will be used as pre-occupancy; this user group can be overridden by setting another user group in the S_USER_GRP_DEFAULT user parameter for each user administrator. The customising switch requires a valid user group, because it is used as the default user group. If a valid user group has not been entered in the customising switch, the user group is nevertheless a mandatory field. This will lead to errors in automated user creation.

"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.

SAP Basis refers to the administration of SAP system that includes activities like installation and configuration, load balancing, and performance of SAP applications running on Java stack and SAP ABAP. This includes the maintenance of different services related to database, operating system, application and web servers in SAP system landscape and stopping and starting the system. Here you can find some useful information about SAP Basis: www.sap-corner.de.


Add SAP Note 1695113 to your system.

To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.


In customising, different organisational values are stored for the individual ERP components to enable an organisational mapping of the root and movement data.
Zurück zum Seiteninhalt