Understanding SAP HANA Permissions Tests
Check for permissions on the old user group when assigning a new user group to a user
Remove improperly defined SAP Orgebene ($CLASS): This function deletes the $CLASS organisational level that was incorrectly delivered with the GRCPlug-in (Governance, Risk and Compliance). Use the test mode of the report to look at possible corrections in advance.
An SAP authorization concept is used to map relevant legal standards and internal company regulations to the technical protection options within an SAP system. Authorization concepts are thus the key to optimal protection of your system - both externally and internally.
Full verification of user group permissions when creating the user
If the FIORI interface is then used under SAP S/4HANA, the additional components must also be taken into account here. Authorizations are no longer made available to the user via "transaction entries" in the menu of a role. Instead, catalogs and groups are now used here. These are stored similar to the "transaction entries" in the menu of a role and assigned to the user. However, these catalogs must first be filled with corresponding tiles in the so-called "Launchpad Designer". It is important to ensure that all relevant components (tile component and target assignment component(s)) are always stored in the catalog. The FIORI catalog is used to provide a user with technical access to a tile. A corresponding FIORI group is used to make these tiles visually available to the user for access in the Launchpad.
You have an organizational structure that includes 4 hierarchical levels - authority, department, unit, functional area). The authorization concept in your organization states that access (processing) to Records Management objects should be allowed for an employee only within his/her own organizational unit. However, the authorization check should only take place on three levels. So if a unit is subdivided into further functional areas, all employees of the unit and the functional areas should have the same authorizations. Since department 2 and department 3 work very closely together, employees of department 2 should be able to read all files, transactions and documents of department 3 and vice versa.
Authorizations can also be assigned via "Shortcut for SAP systems".
Logical databases (e.g. SAPDBADA, SAPDBBRF) are basic data selection programmes and are particularly used in financial accounting.
At www.sap-corner.de you will also find a lot of useful information on the subject of SAP authorizations.
However, the underlying conceptual permissions (who is allowed to do what within the functionality of the tile) follows the same processes as in the "old world" for transaction access.