SAP Authorizations Using suggestion values and how to upgrade - SAP Admin

Direkt zum Seiteninhalt
Using suggestion values and how to upgrade
Architecture of authorization concepts
Employees should only be able to access data relevant to their work, country or accounting area in tables? Set up organisational criteria to ensure this. Do you want users to be able to read or maintain specific tables, but only have access to the table contents that are relevant to them? The S_TABU_DIS and S_TABU_NAM permissions objects allow you to access the tables, but if you want a user to see or maintain only parts of the table, these authorization objects will reach their limits.

If such information is available from the past, it should be checked whether all topics have been implemented in accordance with the comments. If one or the other recommendation has not been implemented, this circumstance should in any case be documented in a comprehensible manner, or it should be possible to provide a comprehensible justification. However, it is not sufficient to focus only on the improvement potentials that have been presented, because it must be ensured that all those points that have not been criticized in the past will continue to fit. Preparation is made much more difficult if there are no helpful comments or reports from the previous fiscal year, or if it is a first-time audit or a change of auditor. What all does the IT auditor look at during the annual audit? There are topics that every auditor looks at because there are standards for doing so, however it is common for the auditor to perform additional audit procedures in the IT audit depending on the strategy of the overall audit. In this newsletter we want to focus on the most important standard audit topics on the process level and the IT controls defined therein in the context of the SAP® system.
Use automatic synchronisation in central user management
Running the system trace for permissions gradually for each application server is tedious. We will show you how to record permission checks on multiple servers at the same time. If you want to use the System Trace for permissions in a system with multiple application servers, you should note that the Trace can only log and evaluate data per application server at any time. Therefore, if a permission error occurs, permission administrators must first check which application server the user is logged on to with the permission issue and then start the trace on that application server. We give you a guide to record permissions checks on certain application servers, but we also show you a way to use this feature centrally.

Today we come to the error analysis with authorizations. The best thing that can happen is the error of the type: "I don't have authorization to do this and that!" (CASE1). Worse is the case that someone has too many permissions, i.e. the type: "User xy should not have this permission anymore" (CASE2). How to proceed? First of all we come to case 1 This case, that someone has no authorization for something, supports the system excellently! The code word is SU53! If a transaction encounters an authorization error, then this error is written to a memory area that can be displayed. For this there is once the transaction SU53 or the menu selection "System/Utilities/Anc authorization check". With this function, the system outputs information showing which authorization objects are missing for the user.

For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.

SAP Basis refers to the administration of SAP system that includes activities like installation and configuration, load balancing, and performance of SAP applications running on Java stack and SAP ABAP. This includes the maintenance of different services related to database, operating system, application and web servers in SAP system landscape and stopping and starting the system. Here you can find some useful information about SAP Basis: www.sap-corner.de.


Although a user has been assigned a role with the correct permission data, this user is presented with a permission error due to missing permissions.

So much information... how can you keep it so that you can find it again when you need it? Scribble Papers is a "note box" that makes this very easy.


Allows you to explicitly grant access to tables by using the table name.
Zurück zum Seiteninhalt