SAP Authorizations SAP systems: Control user authorizations with a concept - SAP Admin

Direkt zum Seiteninhalt
SAP systems: Control user authorizations with a concept
If you have created your own applications, we recommend that you always implement your own permission check and do not just rely on application startup permissions such as S_TCODE, S_START, S_SERVICE, and S_RFC. If you want to add your own checks to standard applications, you must first find the appropriate place to implement the check. To develop without modification, SAP offers user-exits or business add-ins (BAdIs) for such cases. Some SAP applications also have their own frameworks in place that allow customisation-free implementation of their own permission checks, such as the Access Control Engine (ACE) in SAP CRM.

In general, you should note that not all relevant change documents of a system are present in the user and permission management. As a rule, authorisation administration takes place in the development system; Therefore, the relevant proof of amendment of the authorisation management is produced in the development systems. By contrast, you will find the relevant user administration change documents in the production systems; Therefore, you should note that when importing roles and profiles in the production systems, no change documents are written. Only transport logs are generated that indicate that changes have been made to the objects. For this reason, the supporting documents of the development systems' authorisation management are relevant for revision and should be secured accordingly.
Limitations of authorization tools
However, the preferred and more comprehensive variant of a programmatic permission check is the use of the AUTHORITY_CHECK_TCODE function block. This function block not only responds to a missing permission when the programme starts, but can also specify that only the NO-CHECK check marks maintained in the transaction SE97 allow external calling from another transaction context. This is determined by the function block and not by the developer.

Note that the S_TCODE authorization object is always filled with the current transactions from the roles menu. If organisational levels are also included that are no longer required, they will be automatically deleted. If, however, organisational levels are added depending on the transaction, they should be maintained first in the eligibility maintenance.

Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.

Understanding the structure and functioning of the system is especially important for IT administration. It is not for nothing that "SAP Basis Administrator" is a separate professional field. On the page you will find useful information on this topic.

To avoid this, we want to give you a suitable tool.

To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.

Some queries are also a bit complicated with the SUIM transaction.
Zurück zum Seiteninhalt