Displaying sensitive data
Authorizations in SAP systems: what admins should look out for
Organisation levels ensure more efficient maintenance of the eligibility roles. You maintain them once in the transaction PFCG via the button Origen. The values for each entry in this field are entered in the permissions of the role. This means that you can only enter the same values for the organisation level field within a role. If you change the values of the individual fields in the authorization objects independently of the overarching care, you will receive a warning message that you will no longer be able to change this field by clicking the Ormits button and that this individual value will be overwritten when you adjust derived roles. Therefore, we strongly advise you not to carry out individual maintenance of the organisation level fields. If you adhere to this advice, as described above, there can always be only one value range for an organisation level field. For example, the combination of displaying all posting circuits and changing a single posting circle within a role cannot be implemented. Of course, this has implications if you want to upgrade a field to the organisation level. A field that has not previously served as an organisational level can include such entries with different values within a role. You must clean up these entries before you declare a field as an organisation level. In addition, the definition of a field as an organisational level also affects the proposed permissions values of the profile generator.
In many SAP environments, there are historically grown authorization structures that cause unnecessary security gaps. These should be examined closely.
SU2X_CHECK_CONSISTENCY & SU24_AUTO_REPAIR
If you want to understand how to run a permission check in your code, you can use the debugger to move through the permission check step by step. To implement your own permission checks, it may be helpful to see how such checks have been implemented in the SAP standard. In this tip, we show you how to view the source code of permission checks using the debugger in the programme, or how to get to the code locations where the permission checks are implemented.
Permissions must be maintained in every SAP system - a task that becomes more difficult the more complex the system landscapes and the greater the number of users. Especially in growing system landscapes, once defined concepts no longer fit the current requirements or the processes in role and authorisation management become more and more complex and cumbersome over time.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
To do this, administrators should obtain an overview and the assigned authorizations should be checked regularly.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
Users can make requests for SAP systems themselves.