Authorizations in SAP BW, HANA and BW/4HANA
Managed Services
Depending on the configuration of root data and processes, different permission checks can be relevant, so that it makes sense to adjust the proposed values. If custom applications have been created in the form of Z-transactions, Web-Dynpro applications, or external services, you must maintain suggestion values for these applications to avoid having manual permissions in the PFCG roles. You must ensure that custom applications are not always visible in the SU24 transaction. This is the case for TADIR services and external services. To learn how to make these services available for suggestion maintenance, see Tip 38, "Use the SU22 and SU24 transactions correctly.".
Finally, you must evaluate and implement the results of the preparatory work. The overview allows you to determine which user needs which function groups or function blocks and to set up the permission roles accordingly. You can exclude calls to Destination NONE from your evaluation because these calls are always internal calls to RFC function blocks. In this context, we recommend that you check the mappings for critical function blocks or functional groups.
Archive change document management for user and permission management
HR authorizations are a very critical issue in many companies. On the one hand, HR administrators should be able to perform their tasks - on the other hand, the protection of employees' personal data must be ensured. Any error in the authorization system falls within the remit of a company's data protection officer.
Which authorization data does a role have (PFCG)? Again, start the transaction PFCG and display a role. Then branch to the tab Authorizations and click on the button with the "glasses" (bottom left): Display authorization data.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
To enable this change in system behaviour, you must set the CLIENT_SET_FOR_ROLES customising switch to YES in the PRGN_CUST table.
If you want to know more about SAP authorizations, visit the website www.sap-corner.de.
The following listing shows an example of a permission check that ensures that the logged-in user has the permission to start the SU24 transaction.