SAP S/4HANA® migration audit
PROGRAM START IN BATCH
Object Privileges: Object Privileges are SQL permissions that control access to and modification of database objects (as a whole). The type of object (table, view, procedure) determines which database operations can be authorised. Database operations include SELECT, UPDATE, ALTER, DROP, and DEBUG.
If you do not see the Expert Mode button for step 2 in the SU25 transaction, check whether you can call the expert mode from the SU24 transaction by clicking the Sample Value Match button. In this view, it is possible to select the proposed values to be matched by specific selections, so that not all proposed values are used for matching. In the first selection, you can choose the data to take. You can select here whether only SAP standard applications or customer or partner applications should be considered. You can still limit the selection by type of application, package, or component shortcut in the Other Constraints pane. In the Application Search pane, you can also limit the SU22 data to an upload file, transport jobs, or role menus.
Challenges in authorization management
The SAP administrator uses the concept to assign users their dedicated authorizations. Behind these is a checking mechanism based on so-called authorization objects, by which the objects or transactions are protected. An authorization object can comprise up to ten authorization fields. This allows complex authorization checks that are bound to several conditions.
The authorisation concept in SAP ERP does not normally allow to limit permissions to individual financial years. However, this is particularly relevant for tax audits. As of 1 January 2002, the electronic tax audit was enshrined in law in § 147 (6) of the German Tax Code. The opinion of the Finance Administration is in the BMF letter of 16.07.2001 (BStBl. 2001 I)"Principles on data access and the verifiability of digital documents"(GDPdU). The electronic control check can be performed in Germany on three types of access: Immediate access: The tax authority shall have the right to inspect the stored data (read-only access) and to use the taxpayer's hardware and software to verify the data, including the master data and links. Mean Access: The tax authority may require the taxable person to perform the read-only processing of the data in accordance with its specifications. Volume Release: Alternatively, the tax administration may require the taxable person to have the stored documents available to it for evaluation on a machine-usable medium.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
Repair defective field list in SU24 suggestion values: This function verifies that all the authorization objects used in the permission proposals are consistent, that is, fit to the authorization object definitions from transaction SU21.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
Volume Release: Alternatively, the tax administration may require the taxable person to have the stored documents available to it for evaluation on a machine-usable medium.