SAP Authorizations User Management - SAP Corner

Direkt zum Seiteninhalt
User Management
Excursus Special feature for authorizations for FIORI Apps under S/4HANA
No matter what the reason, it is quickly said that a new authorization concept is needed. But this is not always the case. And if it is, the question is which authorization concept in SAP HCM is the right one. Yes, exactly which concept, because in SAP HCM there are three ways to implement an authorization concept.

SAP_AUDITOR_TAX Collector Role: The SAP_AUDITOR_TAX collection role is made up of module-specific individual rolls and can be seen as a proposal for the read-only role of the tax inspectors (see SAP Note 445148 for details on this role). The transactions and reports included in the SAP_AUDITOR_TAX collection role have been expanded to include additional checks that define the audit period. Some of the transactions and reports included in the SAP_AUDITOR_TAX collection role have also been expanded to include a logging of the call parameters to allow the taxpayer to better understand the auditor's audit trades.
Lack of definition of an internal control system (ICS)
Which authorization objects are checked (SU22)? When calling a transaction, such as the ME23N, various authorization objects are checked. You can get an overview as follows: Call transaction SU22 (SAP tables) or SU24 (customer tables), enter e.g. "ME23N" in "Transaction code" and execute the transaction. As a result you will see all authorization objects that are checked when calling transaction ME23N.

The best way for companies to combat historically grown uncontrolled growth in authorizations is to prevent it. An analysis of whether the current authorization concept is sufficient for the company helps here.

For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.

If your user is assigned the privilege ROLE ADMIN (either directly or through a role), you can create your own roles and assign them to users.

The website www.sap-corner.de offers a lot of useful information about SAP authorizations.


The dialogue user is therefore the most frequently used user type.
SAP Corner
Zurück zum Seiteninhalt