The Anatomy of SAP Authorization or Documentation on SAP Authorization Objects and Authorization Field Values
Organisational allocation
In the area of group consolidation, an authorization concept ensures that no data can be deliberately manipulated, for example to change balance sheets. This can prevent significant financial or reputational damage to banks and stakeholders. Furthermore, access to financial data of subdivisions of a group, such as individual business units or companies, must be restricted to those employees who are allowed to access it because their current activities require it. As a result, a controller of a business unit, for example, can only view the consolidated figures of his business unit, but not the figures of the entire group. Further authorization roles are required, for example, for external auditors. These auditors check all the figures for the entire group, but may only have read access to this data.
This report checks the customising of the CRM business role for which the PFCG role is to be created, and writes all area start pages and logical links to a text file in the form of external services. This text file is stored locally in the SAP folder under c:/User//SAP. On the Menu tab of the PFCG role, you can upload this text file from File by selecting Menu > Import.
In-house role maintenance
After you have completed the development of the User-Exit, you still need to transport your validation. To do this, navigate back and highlight the validation you have created. You can now include the objects in a transport order using the Validation > Transport menu path. Finally, you need to activate your validation via the OB28 transaction. Please note that this is only possible for one validation (with several steps if necessary) per booking circle and time. Now your validation will be carried out with additional checks during the document booking via an interface.
Likewise, in addition to a statutory publication of the balance sheet and P&L (profit and loss) statement, internal evaluations can also be created. SAP FI has direct interfaces to other modules, such as HR or SD. For the Internet release of reports, it is necessary that an authorization group has been maintained for the respective report.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
For a first overview of the security information for SAP systems, see the SAP Service Marketplace at https://service.sap.com/securitynotes.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
We recommend you to transport all these changes.