Protect Passwords
Goal of an authorization concept
If an authorization system grows too much over the years and there is no structured approach, the result is uncontrolled growth. If companies wait too long with the cleanup, a complete rebuild of the authorization structure or a new concept may make sense. This must be clarified quickly in the event of a cleanup.
In addition, critical commands should be prohibited from the outset. Examples are EXEC SQL, which allows direct access to database tables bypassing certain security mechanisms, and CLIENT SPECIFIED, which allows access to data in other clients.
Maintain authorization objects more easily
The handling of organisational levels in PFCG roles wants to be learned. If these are maintained manually, problems arise when deriving rolls. We will show you how to correct the fields in question. Manually maintained organisational levels (orgons) in PFCG roles cannot be maintained via the Origen button. These organisational levels prevent the inheritance concept from being implemented correctly. You can see that organisational levels have been maintained manually when you enter values via the Ormits button, but the changes are not applied to the authorization object.
However, it is possible to include the same role in several tasks of different operators within each contract. This increases transparency for you, because all participants can instantly identify which users are editing the role. Before you enable the use of the SCC4 transaction setting for role maintenance, you should release existing role transports to avoid recording conflicts. As a rule, you do not choose the setting depending on your role-care processes; So you have to think very carefully about what the activation will do.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
You will then have to limit access to the various departments, for example to the appropriate booking groups, sales organisations or purchasing organisations.
If you want to know more about SAP authorizations, visit the website www.sap-corner.de.
This advanced functionality of the transaction SU53 is delivered via a patch.