ICS for business processes in SAP systems
Advantages of authorization tools
If you manage your SAP system landscape via the Central User Administration (ZBV), you must insert SAP Note 1663177 into both the ZBV system and all attached subsidiary systems. In this case, also note that the default user group will be assigned in the daughter systems if no user group has been distributed during the user's installation from the ZBV. In addition, you will receive an error message in the SCUL transaction stating that a user group must be assigned to the user (via the ZBV headquarters). This behaviour is independent of the settings of the distribution parameters for the user group in the SCUM transaction. If you have set the distribution parameters for the user group to Global or Redistribution, the appropriate subsidiary system will reject the changes made to users that do not have a user group in the Central System, and you will receive an error message in the SCUL transaction.
In addition, you can also define customised permission checks in the SOS and also define combinations of authorization objects and their values. You can create up to 1,000 custom permissions checks in the Check ID namespace 9000 to 9999. You can also redefine whitelists for these permission checks, which apply to either individual or all of the customer's permission checks. The configuration is described in SAP Note 837490.
Dialogue user
If the system trace has recorded permission data for this authorization object, it will appear in the right pane of the window. In the left pane, you can see the existing suggestion values. If you notice that you do not have any suggestion values that you think are necessary and have been recorded by the trace, you can set the suggestion values to Yes by selecting the appropriate row, column or field in the right pane and clicking the Apply button. You are free to make any manual adjustments to the field values. Afterwards, confirm maintenance and your changes are saved for this authorization object. Do the same for all other authorization objects.
SOS reports can be very comprehensive. In particular, if the Whitelists are not yet maintained, reporting volumes of up to 200 pages are not uncommon. Do not be discouraged in such a case, but start by cleaning up a manageable amount of critical SOS results. You can then edit the further results in several rounds. The AGS recommends which critical SOS results you should consider first; You can find these in the AGS Security Services Master slide set in the SAP Service Marketplace Media Library.
Authorizations can also be assigned via "Shortcut for SAP systems".
However, authorization objects are also used in other places, such as suggestion value maintenance and permission maintenance.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
The procedure for this is described in detail in our Tip 39, "Maintain suggestion values by using trace evaluations".