SAP Authorizations Set up permissions to access specific CO-PA measures - SAP Admin

Direkt zum Seiteninhalt
Set up permissions to access specific CO-PA measures
Conclusion and outlook
For performance reasons, the SAP kernel checks whether a user is authorised in the permission buffer. However, only profiles and no roles are loaded into the permission buffer. Calling the SU56 transaction will cause you to parse the permission buffer, first displaying your own user's permission buffer. A pop-up window to change the user or authorization object will appear from the Other User/Permissions Object (F5) menu path. Here you can select the user you want to analyse in the corresponding field. The Permissions > Reset User Buffer path allows you to reload the permission buffer for the displayed user.

In many distributed organisations, the Profit Centre is used to map out the distributed units. However, this was only possible for FI with additional programming. In integrated data flows in SAP ERP, the sending application usually does not check the authorization objects of the receiving application. Financial Accounting (FI) in SAP does not check permissions for cost centres and profit centres. However, depending on the case of use, this may be necessary, e.g. if distributed entities are to operate as small enterprises within the enterprise and only collect and view data for this particular unit at a time. With the introduction of the new general ledger, SAP has technically merged the financial accounting and the profit centre account, so that the question of the inclusion of profit centre allowances in FIs becomes even more important.
Extend permission checks for documents in FI
RFC connections are interfaces for many local and global system processes, but also a security-relevant source of errors for many companies. The RFC interfaces and associated system users often have too strong authorizations and can quickly be misused by unauthorized persons to view sensitive company data. It is therefore important to always keep these system connections in the focus of global monitoring and to check which RFC destinations lead where and what they do. For this purpose there is the program RSRFCCHK which allows you to perform specific tests for your RFC system landscape. On the one hand the content of the RFCDES table is checked and on the other hand the corresponding user properties of the system users are displayed as an overview. Consequently, important parameters such as the target machine, the client, the background user or also the password property can be checked in an overview.

This report not only gives you an overview of the table logging settings in the tables, but also allows you to select multiple tables for logging. The Log flag button allows you to set the table logging check for all previously selected tables. The current status of the table loggers for the tables can be found in the Protocol column. The icon means that the table logger for the selected table is off.

During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.

If you want to get more information about SAP basis, visit the website

In many SAP environments, there are historically grown authorization structures that cause unnecessary security gaps.

The freeware Scribble Papers is a "note box" in which all kinds of data can be stored. It takes in typed texts as well as graphics and entire documents. The data is then organised in folders and pages.

Tables with delivery class C (such as customising, found in column A) are the relevant tables in this context.
Zurück zum Seiteninhalt