SAP Authorization Trace - Simple Overview of Authorizations
Maintain derived roles
You can automate the translation of the texts by using the LSMW transaction. This transaction is intended for migration tasks, but is also very well suited to allow a particular transaction to be repeated and automated. You record the execution of a transaction and get the variables of the text blocks (technical role name, role description, etc.). You can add values from an import file based on Microsoft Excel to each flow loop. For example, the Excel file contains a table with the columns Technical role name, description German, description English. The LSMW script works through the import file line by line and thus role by role.
With "SIVIS as a Service" we present you the best solution for central user and authorization management in SAP. This replaces and protects you from the development end of your central user administration (SAP ZBV). SIVIS offers over 20 functions that you can flexibly combine (SaaS model), e.g. over 1,000 role templates for S/4HANA! This means that a new authorization concept can be quickly implemented! The encrypted connection to your SAP systems enables secure distribution of all changes made in the SAP standard.
Transports
Increasingly, it is possible to make use of automation in the security environment. Although these are not yet used by many companies, they are the next step in digital transformation. By using automation intelligently, companies can free up resources for the innovation topics that really matter. In the future, we can expect both the number and power of automation tools to increase. It is therefore only a matter of time before SAP itself also delivers optimized support in the form of tools as standard.
The object S_PROGRAM checks since SAP Release 2.x for the field TRDIR-SECU i.e. the authorization group of the program. As of Release 7.40, you can optionally switch on a check for the object S_PROGNAM. For more information, see note 2272827 for further instructions. The check on S_PROGNAM MUST first be activated in the customer system. Note, however, that they CORRECTLY authorize S_PROGNAM before doing so, otherwise NOBODY except emergency users will be able to start any report or report transaction after the SACF scenario is activated.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
Learn how to define these requirements globally, which special characters are accepted by the SAP standard, and how to set the parameters for generated passwords.
If you want to know more about SAP authorizations, visit the website www.sap-corner.de.
If customers are developing systems that supply other system landscapes than your system landscape and require different SU24 suggestion values per system, the proposed values in transaction SU22 will be maintained.