SAP Authorizations Create order through role-based permissions - SAP Corner

Direkt zum Seiteninhalt
Create order through role-based permissions
Even if key users (department users/application support) do not have to develop their own authorization objects and cooperation with SAP Basis is always advantageous, there are often technical questions such as "Which users have authorization to evaluate a specific cost center or internal order?
You may have special requirements that are necessarily to be included in the naming convention, such as when you define template roles in a template project that can be customised locally. You can identify this in the naming.

Authorizations in SAP systems form the basis for Identity & Access Management. They enable users to access the applications they need to perform their activities. Since functional and organizational requirements are subject to change, SAP authorizations must be regularly checked and reworked. This is the only way to ensure that processes are mapped securely and completely correctly from a technical point of view.
Solution approaches for efficient authorizations
From the result of the statistical usage data, you can see which transactions (ENTRY_ID) were used, how often (COUNTER), and how many different users. There are various indications from this information. For example, transactions that were used only once by a user within 12 months could indicate a very privileged user, or inadvertently invoking a transaction for which a user has permissions. The future assignment of such transactions in the SAP role concept should then be critically questioned. In contrast, you should consider transactions with a high level of usage and a large user circle (e.g. with more than ten users) in an SAP role concept.

You will also notice that many tables have the table permission group &NC& assigned to them, and therefore differentiation over table permission groups over the S_TABU_DIS authorization object would not work at all. Furthermore, you cannot assign permissions to only individual tables in a table permission group using S_TABU_DIS. In such cases, the investigation shall continue: If the permission check on the S_TABU_DIS authorization object fails, the S_TABU_NAM authorization object is checked next. Allows you to explicitly grant access to tables by using the table name.

Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.

However, our experience from customer projects shows that only very few authorization administrators know how to correctly authorize the scenarios.

You can also find some useful tips from practice on the subject of SAP authorizations on the page

You should not overestimate the often demanded freedom of redundancy.
SAP Corner
Zurück zum Seiteninhalt